Not Just a Cleanup Any More: LibreSSL Project Announced

An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."

Please change the name!

[cmdrbuzz]

LibreSSL.... Please for the love of code, change the name!

Re:Please change the name!

[TheGratefulNet]

libwressle.so - will be here, sunday, Sunday, SUNDAY!!

Re:Please change the name!

This a thousand times over.

Re:Please change the name!

[YoungManKlaus]

just abbrevate it ... LSSL does not sound that bad to me :)

Re:Please change the name!

I think LeSSL would sound better since they are reducing the code base by so much

Re:Please change the name!

Yes. :P

Sounds abit like Libresse.

Re:Please change the name!

[gl4ss]

nothing to do with wrestling but it sounds like it has something to do with certain kind of "monthlies".

Re:Please change the name!

[KermodeBear]

Could not agree more. Sticking Libre! on the front of everything is getting annoying.

Re:Please change the name!

Agreed!

CleanSSL is already better than Libre lol (even if it's still annoying)

Re:Please change the name!

I dunno... I've always felt that SSL is a female. LaSSL?

Re:Please change the name!

Can't we have FreiheitSSL?

Re:Please change the name!

The problem is that non-Americans don't realize that the average American will pronounce it as "libber SSL" and "libber office", and then when you correct them, they will laugh at you, not at themselves.

Re:Please change the name!

I thought he was making fun of Chekov...

Re:Please change the name!

[ThePhilips]

What is with this reaction of Americans to the French/Latin word "libre"?

Re:Please change the name!

[Mitchell314]

It's the british that use '-re' to sound like 'er'. My guess is that most americans have heard spanish long enough to link '-re' to sound like 'ay'. And have heard canadians long enough to put an 'ay' at the end of any word anyways. :P

Re:Please change the name!

Yes, all of LibreOffice and LibreSSL. It's so annoying having a whole TWO projects starting with Libre.

Re:Please change the name!

[Pieroxy]

It's not English nor does it has English roots, so they don't like it. It's simple really. You can apply that to many things Americans don't like.

Re:Please change the name!

it sounds like eh more than ay...making it sound like ay is what makes an english speaker sound funny when speaking spanish

Re:Please change the name!

[ThePhilips]

And yet Americans like the work "liberty". Civil liberties. Statue of liberty. And so on. That is simply inexplicable.

Re:Please change the name!

[dave420]

I'm pretty sure that's not correct - I've not heard any brits pronounce it that way. They would probably pronounce it as "rer", but not "er". "Leebrer", quite possibly, but never "liber".

Re:Please change the name!

[K.+S.+Kyosuke]

Based on my superior knowledge of Indo-European etymology, I assert that the name means that this implementation will be able to take on some extra pounding from the attackers.

Re:Please change the name!

Off the top of my head there is also LibreWRT and libreswan.

Re:Please change the name!

[martin-k]

LibreSSL? LibreOffice?

This reminds me of something...

http://youtu.be/iV3-OdQkXPU

Re:Please change the name!

[geminidomino]

Clearly you haven't been paying much attention to the US lately. Clearly, we don't.

Re:Please change the name!

It has nothing to do with foreign, in this case it seems like not the most appropriate name and dilutes the meaning. Using LibreOffice when OpenOffice had issues was appropriate, but here the issue is not so much trying to make it more "free."

Re:Please change the name!

Palindrome...Project...Euler...

Re:Please change the name!

[r.freeman]

Yeah we merricans prefer now our beloved police-state, big brother of NSA and all. Down with libre, liberty and all such terrorists.

Slavary is Freedom. NSA is Security War is Peace.

Better now?

Re:Please change the name!

That is simply inexplicable

Yep, that's us 'muricans alright!

Re:Please change the name!

[Barsteward]

English shares about 800 words with French, and French tend to use "re" instead of "er" hence words like" theatre" in English.

Re:Please change the name!

[NeverVotedBush]

What's that, LaSSL? Timmy fell down the well? ;-)

Re:Please change the name!

[StripedCow]

Please for the love of code, change the name!

It is a lot better than libiberty:
http://en.wikipedia.org/wiki/L...

Re:Please change the name!

[LoRdTAW]

Oui Oui, Le SSL!

Re:Please change the name!

[phantomfive]

Why? What's wrong with it?

Re:Please change the name!

That was his point - LibertySSL needs at least 3 holes through which NSA can enfore their librarity.

These communist Canadians really make the work of the Librarity Enforcers of FtMeat impossible !

Re:Please change the name!

I'm Dutch and I hate all those libre names too.

Re:Please change the name!

[Yer+Mom]

So, how about FreedomSSL, then?

Re:Please change the name!

[tendrousbeastie]

I'm British and I always pronounce it as 'leebrer' or 'leebra'.

Re:Please change the name!

It seems that OpenSSL was already taken.

Would you prefer..

OpenOpenSSL

Open^2SSL

Open(OpenSSL)

TheRealOpenSSL (TROpenSSL)

LibreSSL is in line with LibreOffice..

Works for me

Re:Please change the name!

You'll never understand. Most Linux zealots are incapable of appreciating or understanding the value of appearance, design, style, or personal hygiene.

Re:Please change the name!

No... Timmy got heartbled!

Re:Please change the name!

librOffice... that's how you read it...

Re:Please change the name!

This is already four projects too many.

Re:Please change the name!

Why the hell is parent modded funny and not "Informative"???

Re:Please change the name!

[PRMan]

As an American... This sounds AWESOME!

Re:Please change the name!

I think LeSSL would sound better since they are reducing the code base by so much

ROFLMAO Yes, LeSSL would be an apt name and devoid of weirdness.

Re:Please change the name!

Try to google LibreSSE.

Re:Please change the name!

[Doug+Neal]

Same here although it never feels quite right. To me, it just looks French. In French the R would be silent, but 'leeb office' or 'leeb ssl' would sit even worse (and also sound a bit like 'lib' which could be very confusing)

Re:Please change the name!

The "r" in "libre" wouldn't be silent in french.

Re:Please change the name!

[ildon]

It has nothing to do with "Americans." It has to do with the fact that every single open source project that had a version called "Open Something" now has a fork called "Libre Something," even when the name change doesn't make sense (because the original version was "libre" software, too).

It's just people getting tired of a silly trend and a lazy naming scheme.

Re:Please change the name!

[viperidaenz]

FixedSSL

Re:Please change the name!

[Rising+Ape]

It sounds clunky and awkward.

Re:Please change the name!

And yet Americans like the work "liberty". Civil liberties. Statue of liberty. And so on. That is simply inexplicable.

Not really. Americans rip on "liberals" all the time, like liberty is a bad thing.

Re:Please change the name!

[thegarbz]

There's nothing wrong with the word Libre, it's just its use in this context is poor.

Open source has for a long time had a massive problem with naming of programs. I'm not talking about GIMP, I'm talking about naming things in an obvious way, like Photoshop, Paint Shop Pro, both those names mean something, OpenSSL means something too.

The problem is the title clash. OpenOffice, OpenSSL, MySQL, were examples of well named packages where the titles will straight away tell you what the package does. MariaDB wtf? But more importantly the use of the word Libre doesn't differentiate the product.

What is LibreSSL? You mean OpenSSL with a French title? How do projects who's names are synonyms differ? Is LibreSSL somehow free'r than OpenSSL? Or is it the other way around given that OpenSSL is portable to more platforms. Why should I pick one over the other? There's nothing in the title to indicate that they are gutting the code down to size, unlike say TinyVNC.

Why not call it CleanSSL (I didn't say I was better at picking names).
I actually also like the original name suggestion in the blog post, ValhallaSSL. It doesn't mean anything new in the context above but at least it isn't a synonym.

Re:Please change the name!

[thegarbz]

What does Libre mean to you, and how does it apply in the context of LibreSSL vs OpenSSL?

For one, the package with Liberty in the title actually provides less freedoms to the user of how and where they run it. But even if it was just as free to run and use everywhere (which it eventually will be), what does the title actually mean? Assume you've never heard of either package and had to chose them by title. What are the differences?

It made sense for OpenOffice (though I still think LibreOffice is a crap name).

Re:Please change the name!

[phantomfive]

So, your point is that you don't like the name because it doesn't convey meaning?

Re:Please change the name!

[thegarbz]

Not only does it not convey meaning, it's meaning is obfuscated by a similar project that does the same thing with a name that is a synonym. It attempts to convey a meaning that is already in use in another project.

So ... what does LibreSSL mean to you and not knowing anything of the project how does it compare to OpenSSL?

CleanSS?
TightSSL?
BSDSSL?
or my favourite so far:
Secure SSL :-)

Re:Please change the name!

Yes, because no Brit has ever heard anyone speak Spanish, because Spain isn't the top holiday destination for the British!

Re:Please change the name!

yes, but it's very apparent that they don't like the THING liberty

Re:Please change the name!

[phantomfive]

Secure SSL :-)

Good call.

I don't think a name whose main purpose would be to distinguish it from OpenSSL would be very useful, since not long from now OpenSSL will be forgotten, and everyone will be using LibreSSL.

Re:Please change the name!

And related, let us not forget libiberty! Those familiar with linking will understand the humour of this library name.

I'm still waiting for someone to create a library called libesbian (and sit back with popcorn to watch the public's reaction).

Re:Please change the name!

[gmhowell]

What is with this reaction of Americans to the French/Latin word "libre"?

Because the frogs are all about accepting words based in non French?

Re:Please change the name!

Libre and Open are not synonyms. The french name for OpenSSL would be OuvertSSL.

Re:Please change the name!

[Barefoot+Monkey]

Or they could go with MoreSSL, which sounds delicious.

Re:Please change the name!

"OuvertSSL"... I like that. It would almost inevitably end up being "OvertSSL" though, but that's a good name too.

Re:Please change the name!

[thegarbz]

Is that a given? The first thing the BSD guys are doing is removing any portability in favour of clean code. Then auditing and getting it running on BSD. They've openly said they have no plans to support other systems and the compile already fails on Linux. I'm sure someone will fix it and port it to other systems again. But in general your comment reminds me of a few projects which haven't died yet, Open Office, and MySQL. I was promised the same words you just said when LibreOffice and MariaDB cameout.

Re:Please change the name!

How about FreeSSL?

In fact, NetSSL wold be great.

Re:Please change the name!

[hobarrera]

You mean spanish, right?

Re:Please change the name!

[Dr.+Blue]

What is with this reaction of Americans to the French/Latin word "libre"?

Don't know about others, but for me it makes me think of Jack Black in tights. And that's just not pleasant.

Re:Please change the name!

I'm pretty sure that's not correct - I've not heard any brits pronounce it that way.

Are you talking about programmers or laypeople? Because I'm sure that a British layperson, given the pronunciation of words like "theatre" and "centre" would pronounce libre in a similar way.

Re:Please change the name!

[cheesybagel]

I preferred the other name I heard. Open^2SSL.

Re:Please change the name!

[cheesybagel]

LessSSL is actually a better name since they are deleting code rather than adding code.

Re:Please change the name!

[phantomfive]

Well, unless someone else cleans up OpenSSL, it will be going away for sure. Either that or I have too much respect for developers and IT people in this world, and I don't have much.

Re:Please change the name!

[Barefoot+Monkey]

I don't disagree. In fact, I love that idea for a name, and will be delighted if they decide to use it. LibraSSL is very awkward; LessSSL is slick.

Re:Please change the name!

[aestrivex]

but as everyone knows, moreSSL is just an old, crappy library that is clunky and strange and all of whose features are present in lessSSL

Re:Please change the name!

He wanted to say 'And yet Americans like the word "liberty".' Just the word, not the concept.

Re:Please change the name!

[Karzz1]

I like VSSL -- very secure socket layer :P
It could even be written/pronounced VeSSeL. Loose definitions of vessel could even be applied to the functionality of SSL.

Re:Please change the name!

So I get it, the problem is "libre" is a word difficult to pronounce... one second, reaaalllyyy? I mean, libre is pronounced exactly as you write it /libre/. Do you prefer "freeSSL"? "Free" is pronounced /fri:/. So if anything, it's "libre" the easy word to pronounce. For christ's sake, you people usually have to learn how to spell your words and have spelling contests. In spain we don't have those. You know why? Because 99% of the words in spanish are written as they are said, the translation is trivial. So get over it.

Re:Please change the name!

[Dolda2000]

Do note how you can also read it as libReSSL, though.

Re:Please change the name!

Yet another gmhowell 1 line fart of a reply!

Slow clap

[isa-kuruption]

'Nuff said

Awesome!

I look forward to new and interesting side-effects of the pell-mell rush to clean up the code of a poorly written, poorly maintained, and even more poorly documented software package!

Re:Awesome!

[BreakBad]

Maybe not as pell-mell as it is opportunistic.

Re:Awesome!

[lemur3]

I look forward to new and interesting side-effects of the pell-mell rush to clean up the code of a poorly written, poorly maintained, and even more poorly documented software package!

more poorly documented than OpenSSL?

the OpenBSD team creates some of the best documentation out there.. it is one of their major accomplishments and clearly important to them.

if all they did were document it, openSSL would be better off for it.. they are forking it, improving the code and documenting it.

Of course, they arent gods, perhaps mistakes will be made.. but this team is known for producing high quality code and high quality documentation.. .. i think that you couldn't be any further from the mark with your flippant remark mr AC!

Re:Awesome!

[rubycodez]

yes, the team has proven themselves cleaning up BSD and many other projects. they have creds and accomplishments in that field

Or..

[bytesex]

you use polarssl. Which is already exactly that.

Re:Or..

[bluefoxlucid]

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.

This will ultimately end in a lot of additional wasted effort to undo the damage OpenBSD is doing to LibreSSL so that the code can be ported back into OpenSSL proper, rather than investing slightly more effort in the first pass to do it right and not having a hefty second pass where they need to identify why it doesn't work on Linux/FreeBSDlWindows and then undo some of the things they did.

Re:Or..

[marcello_dl]

Possibly it would be easier to integrate polarssl than clean up openssl, but they maybe like to work on crypto code instead of on interfaces.
Given that it's a volunteer effort (by them and by those who will volunteer some cash) I do not complain about it anyway.

Re:Or..

[Dancindan84]

That's what I was wondering. The summary is a little vague, and I didn't really get a whole lot of clarity reading the articles as to whether OpenBSD was cleaning up OpenSSL and forking it to LibreSSL, or just cleaning up the code AS they forked it to LibreSSL. It seems like the latter, and if they're not contributing back and keeping LibreSSL OpenBSD only (at least initially), they're solving a problem less than 1% of us are having rather than helping a whole lot more.

I'd much rather see the OpenSSL project itself get cleaned up (or forked/restarted for "everyone" if the code needs more than cleanup) than have it forked and cleaned up for JUST an OpenBSD implementation.

Re:Or..

Are you on crack or just poorly trolling?

How is that even remotely "holding OpenSSL hostage" ??? they make their own version for their pet OS. No one forces *you* or anyone else to use it, no one is forbidden to fix OpenSSL meanwhile (except for these few developpers cleaning up LibreSSL I guess)

If you know how to fix OpenSSL, please be my guest, otherwise just stop spouting nonsense ...

oh, and by the way, seriously, go take a look at the horrible code that they're cleanning up and removing ... double free, missing checks, useless if/else conditions, memory mismanagments, and worse ... that cleanup was long overdue.

Re:Or..

[xxxJonBoyxxx]

PolarSSL doesn't have the same licensing model as OpenSSL, so it's not a drop-in replacement. (https://polarssl.org/how-to-get vs. http://www.openssl.org/source/...)

Re:Or..

[rvw]

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.

FUD!

It's BSD! Source code will be available. No restrictions! How can they not give it back?

Re:Or..

[serviscope_minor]

Strong, your hatred of OpenBSD is. Blinded you are.

Actually, more like a raging fuckwit you are.

It's not about a better OpenSSL. It's about OpenBSD waving its penis around.

Frankly you're a complete fucking idiot if you think that. Basically if you persist on believing it, you are either ignorant or stupid. If the former, there's no excuse because it've been covered so many times on just slashdot alone. Therefor it's wilful ignorance. Actually I think it's malice because you appear to hate OpenBSD for no rational reason.

OpenBSD want an API compatible, SAFE version of OpenSSL for their operating system. Rather than whining on the internet with their tumb up their ass, they're actually doing something about it. So they can provide a safe, BSD licensed operating system, which is their goal.

The OpenSSL team is amenable to aid; but they have two developers and no help.

So? That's the fault of the 10,000 companies out there who use openSSL but were too stupid to consider it worth chucking a few bucks to the OpenSSL team. The fact that the OpenBSD team is doing something about it is not a fault with the OpenBSD team.

OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD

Well, I guess they should have used a different license then. The OpenBSD folks aren't even makeing it closed source. It's out there if you want it. And it's specific to OpenBSD because---guess what---it's being done by OpenBSD developers. But they're good programmers and good people. It's not going to be heavily tied to OpenBSD. It will be pretty portable code.

OpenBSD unless you give them money to make it not.

OMG nuuuu!!111oneeleven People on the internet aren't working for free for me!! How dare those evil fuckers want to get fucking paid for FUCKING WORK!!! The bastards! They're doing nothing but waving their penises around. How dare they.

whine whine blah blah

No one is obligated to work for you for free. Fact is they actually are because OpenSSL badly needed this cleanup of the outer crap. The OpenBSD people are doing it for free in their own time and it's quite astonishingly arrogant of you (who hasn't donated a dollar or an hour of your time) to complain about how.

The chances are with the code being cleaned up, it will actually be more easily portable to other systems modern than the old code. They're not doing damage because the old code is still there and you can keep using it warts and all for as long as you like.

Re:Or..

OpenBSD is POSIX compliant. FreeBSD is POSIX compliant, Linux is POSIX compliant. What they are doing is taking off the rotten onion layers that the OpenSSL team put in that caused this whole mess.

Once you have a base that is, in this case POSIX compliant, you can write proper wrappers to support non-POSIX compliant OS's.

I think that you're missing the whole Open Source mantra, "you have a need or need to fix something, be our guest". No where in there does it say that it's YOUR duty to make sure that it works with everything, that's the next person's job who uses it on a different platform.

OpenBSD was written to be as secure as possible, the team continues that tradition by forking the code and cleaning it up to ensure that it doesn't compromise their other projects. That's all they have to do. It's up to the next person to pick up the base code and add support.

Re:Or..

[BitZtream]

Not contributing back? Are you fucking retarded? The OpenSSL team can always take fixes from the version that OpenBSD creates.

This has nothing to do with Theo's penis and everything to do with OpenSSL being a monstrous pile of crap that its devs are afraid to touch.

So basically what you want them to do is take your pet project, fix the fact that its a bloated pile of crap, and do it for your OS and your requirements which have absolutely nothing to do with theirs?

You've got to be pretty lazy and extremely selfish to make such a retarded comment ... and that goes for all the idiots who modded you insightful.

What they should have done, is created BSDSSL and dropped all the retarded SSLeay and other silly licensing crap that goes with OpenSSL.

And for the record, its unlikely that it won't work out of the box on *BSD, which have a pretty consistent API across all of them.

But hey, you're right, they should totally fix your problems for free because you said so and you weren't willing to do it yourself. Selfish fuck.

Re:Or..

they're solving a problem less than 1% of us are having rather than helping a whole lot more.

Well, they solved another problem once alreay and we ended up with OpenSSH, so I'm not worried about that (OpenSSH which *is* an OpenBSD project, as opposed to OpenSSL that people seemed to get so confused about lately)

Re:Or..

You're right. It's not about a better OpenSSL. It's about OpenBSD taking security seriously and realising that unless they fork and do a massive cleanup then they'll not have a trustworty SSL implementation in their OS.

Why is it their job to make sure it works on Linux and other OS? Anyone can take this code and do as they please.

Do you think the OpenSSL project would accept the hundreds of changes that's been made for the past two weeks? In a timely manner? No. Fork and avoid the bureaucracy.

Re:Or..

[bluefoxlucid]

The source code is available. Is the labor available?

My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.

So you have two options: Pay up and have the OpenBSD writers supply the additional half-effort to port LibreSSL back to everything; or pay up and supply your own labor as the additional half-effort to port LibreSSL's changes back into OpenSSL, after fixing the code up for full multi-OS support, with a diverging code base as you go along making tracking harder over time.

They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.

Re:Or..

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.

This will ultimately end in a lot of additional wasted effort to undo the damage OpenBSD is doing to LibreSSL so that the code can be ported back into OpenSSL proper, rather than investing slightly more effort in the first pass to do it right and not having a hefty second pass where they need to identify why it doesn't work on Linux/FreeBSDlWindows and then undo some of the things they did.

Jesus motherfucking Christ! First of all, anyone with a dozen neurons can see that this effort is totally about making a better OpenSSL. But you know what? Even IF the OpenBSD folks are only concerned about making something better for OpenBSD, even IF they are "waving its penis around", what business is that of yours? Or anyone else who is not contributing to their effort? Every developer on the LibreSSL team is a volunteer, and as such, they have the implied right to tell you to GFY.

It is perfectly clear what motivates you: nothing but petty jealousy and a thinly veiled incompetence. Well, you know what they say: the dogs bark, but the caravan goes on.

Re:Or..

[bluefoxlucid]

The OpenBSD folks aren't even makeing it closed source. It's out there if you want it. And it's specific to OpenBSD because---guess what---it's being done by OpenBSD developers.

And

OMG nuuuu!!111oneeleven People on the internet aren't working for free for me!! How dare those evil fuckers want to get fucking paid for FUCKING WORK!!!

Conflicting stances.

The fact of the matter is they have two possible modes of operation: Contribute code back to OpenSSL or create a project tied to OpenBSD that won't run elsewhere. They've voiced openly that this new code will run on OpenBSD but not elsewhere, but that they'll fix it to run elsewhere if you give them money. Or, you could apply your own effort to it.

Fact of the matter is they're not being philanthropic; they're dangling a carrot and telling you if you want it you can either pay them to bring it down to you or you can climb the mountain and come take it. They're putting in some effort to grow the carrot, but they've decided to plant their carrot field atop a mountain instead of using the fertile farm land at the base where the villagers can get to it. Only the elite--the rich or the strong--can get the carrot, either by climbing the mountain themselves or by paying for the privilege of having it brought to them. In this model, it happens that once somebody has done this, they can grow their own carrots (with some of the same effort) from the first carrot, and give carrots to all regardless of their affluence or their fitness to climb the mountain.

Re:Or..

[bluefoxlucid]

Are you fucking retarded? The OpenBLD team can always contribute fixes to the version that OpenSSL maintains.

So basically what they want to do is take their pet project, fix a bloated pile of crap, and do it with no concern for other OSes and everyone's requirements which have everything to do with producing actual useful output?

They've got to be pretty lazy and extremely selfish to make such a retarded decision.

But hey, you're right, they should totally create a vendor-locked version of an extremely critical core Internet security technology and then tell people that they can either pay up or do the work to vender-unlock their non-portable code themselves. Selfish fucks.

Re:Or..

[aliquis]

But maybe the people behind OpenSSL want their format of the code, want their VMS stuff even if it had no use longer (if that's the case) and want their own malloc if they consider that faster.

By doing it this way they can format the code in a way they are comfortable with reading/using and do whatever they want without anyone else complaining or not accepting their changes.

I don't know whatever they remove usable features which just isn't used by/necessary in OpenBSD or not.

Likely limit their burden but still allow them to fix what they may not feel comfortable using as is.

Re:Or..

[aliquis]

And as for LibreSSL the choice would be simple had OpenSSL not already been called OpenSSL.

Just rename it OpenSSLeay or something and let the OpenBSD people use OpenSSL ;D

Re:Or..

The fact of the matter is they have two possible modes of operation: Contribute code back to OpenSSL or create a project tied to OpenBSD that won't run elsewhere. They've voiced openly that this new code will run on OpenBSD but not elsewhere, but that they'll fix it to run elsewhere if you give them money. Or, you could apply your own effort to it.

I could make a long answer to your biased idiocy, but I'll just point out that these are the guys who brought us OpenSSH ... you know, a project tied to OpenBSD that won't run elsewhere ...

Re:Or..

To this orgy of entitlement that's emanating from you, I can only say that there's a website for your kind of people.

Re:Or..

[serviscope_minor]

Conflicting stances.

No, not really. The OpenBSD people are working on OpenBSD for free because they want to. If you complain because they're not working on your preferred thing for free, you come across as a huge dick---precisely what you were complaining about said developers for waving around.

The fact of the matter is they have two possible modes of operation:

Holy false dichotomy batman!

Contribute code back to OpenSSL

The code is out there for the OpenSSL devs to take if they want. In fact it's all in the form of versioned patches against the OpenSSL code base. If the OpenSSL devs don't want to take it, then there's going to be a fork. That's not the fault of OpenBSD. The chances are there will be a fork because the goals of OpenSSL and OpenBSD are divergent.

or create a project tied to OpenBSD that won't run elsewhere.

Or the third way of creating a portable library.

They've voiced openly that this new code will run on OpenBSD but not elsewhere,

Seems reasonable. Their goal is to make a secure, BSD licensed operating system. I can see why they'd not want to waste their precious, valuable free (and sometimes funded by OpenBSD donors) time working on things which aren't open BSD.

but that they'll fix it to run elsewhere if you give them money

Sounds reasonable to me. If you want a programmer to work on something for you that they don't already want to do themselves, then you pay them. Completely reasonable. I won't port my libraries to Windows or MacOS unless someone pays me because I don't like working on windows and don't own a Mac.

Or, you could apply your own effort to it.

Isn't OSS neat? You don't even have to pay them! If you do the work up to an acceptable level of quality, they'll even bless it and include it in the official release. What decent, stand-up people they are.

Fact of the matter is they're not being philanthropic;

Of course they are: they're providing a complete, free, secure operating system with many components that with little effort can be released elsewhere. For free, using their own time an effort. Just because they're not giving you exactly what you want doesn't make them not philanthropic.

Do you also complain donate money to a registered charity instead of you personally? Does that also make them not philanthropists?

they're dangling a carrot and telling you if you want it you can either pay them to bring it down to you or you can climb the mountain and come take it

So basically they're providing some great free carrots and you're objecting because they're not walking up to you and stuffing it in your mouth. And it's hardly a mountain.

They're putting in some effort to grow the carrot,

If by some you mean a far, far more more than it would take for you to dray yourself up there, then yes. It's their time to put in. They can do it how they like. Dictating to them how they shoudl spend their time without offering the slightest incentive makes you seem entitled.

but they've decided to plant their carrot field atop a mountain instead of using the fertile farm land at the base where the villagers can get to it.

You mean they've put it where they need it rather than where a bunch of useleless people who have never contributed a thing to them and do nothing but whine on the internet would find it most useful. Oh the huge manatee! The bastards. How could they!

Only the elite--the rich or the strong--can get the carrot,

Or the people who run OpenBSD. It's free and open source. It even comes precompiled. Go install it for free and enjoy the fruits of their labour. Or contribute $1. If everyone who whinged like you contributed a dollar, you'd have it by now.

If you count your self as not rich enough to contribute a dollar and not strong enough to install OpenBSD or hack some C code, then you really do have my depeest sympathy. Well a bi

Re:Or..

Ummmm is that sarcasm or willful stupidity? I ask because OpenSSH will run on other systems.

taken right from the OpenSSH website .... oh and yes I have had OpenSSH working on systems other than OpenBSD

OpenSSH is developed by two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. We believe that simplicity without the portability "goop" allows for better code quality control and easier review. The other team then takes the clean version and makes it portable (adding the "goop") to make it run on many operating systems -- the so-called -p releases, ie "OpenSSH 4.0p1".

Re:Or..

LibreSSL is not going to be ported back, they are refactoring the code, making huge changes. The base will no longer be compatible for patches.

Re:Or..

[serviscope_minor]

My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.

Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.

They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.

So they're buiding something they need for themselves personally, but are generous to make it available to everyone should anyone else need it. And they'll even let you freely modify it if it doesn't fit your needs! Not only that but if your mods are of no benefit to them but cleanly written and useful to others, they'll even go out of their way to include them in their project. What nice people. I think they should be applauded for their philanthropy.

They do sound like awfully nice people to me.

It's really a shame that there are so many people on the internet who complain they they're not spending even more time and even more effort to give more away for free. But there you go: some people just have a sense of entitlement out of all proportion.

Re:Or..

Call the new one OpenTLS and remove any support for old insecure SSL variants at the same time...

Re:Or..

[bluefoxlucid]

Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.

That's part of the initial work. Once the code is re-ported and re-imported into the (diverging) OpenSSL base, it will require an additional audit. Things like Frama-C produce reports on impact analysis--you changed one line in one function and it affected 15% of your entire 2 million line code base.

Decades of research indicate that doing something not-quite-right the first time and then going back and redoing it requires more labor than doing it right the first time. We have an end state that we argue is good; and an intermediate state that moves away from that, with an alternate plan which moves directly toward the end state. The argument is that this other strategy reaches a given end state with less total work.

So they're buiding something they need for themselves personally, but are generous to make it available to everyone should anyone else need it. And they'll even let you freely modify it if it doesn't fit your needs! Not only that but if your mods are of no benefit to them but cleanly written and useful to others, they'll even go out of their way to include them in their project. What nice people. I think they should be applauded for their philanthropy.

They do sound like awfully nice people to me.

They're making a political move. To argue directly against your argument, I would have to argue for the closing of the OpenBSD project entirely. I have instead provided a counter-argument that they could, you know, contribute to the community at large instead of to their own ego.

This is a think-of-the-children move. "Look how bad these OpenSSL people are! We're going to do a bunch of work to make things better! But it won't be better for YOU! It's just really being done to mock OpenSSL and show you that we're awesome, because we have things YOU don't have! Oh, but you could do a bunch of extra work yourself to take OUR things back and improve YOUR things. We won't do that though, because we're selfish tantrum-babies! But, OUR thing is free, so you know. We're really awesome! And fuck you all who don't use our thing, we're not here to help you infidels! We should fly a plane into your house!"

Re:Or..

[bluefoxlucid]

Tell you what, how about you come over to my house at a time of my choosing (I'm a busy man) and at your own expense (I don't see why I should have to pay you for travel if I'm not going to pay you for the work) and dig my garden for me for free and exactly how I like (it has to be just-so or it doesn't count).

Actually, in my community, I had a burned down house that was there for 14 years torn down. I've been recommended to put a fence around it so people don't walk through, but that would be ugly. Instead I've bought the lot, and planted fruit trees and lavender bushes, added a bee hive. So rather than a fenced-off ugly lot with a private park, I have applied similar (nearly identical) effort and gained a huge improvement for the community. Of course, trash does blow through occasionally and I have to rake it up out of the yard; that's almost exactly the same amount of work as anyway, what with twigs and leaves and lawn clippings from my normal tasks.

I could have, at nearly the same cost, placed a border fence instead, and then sold the house off to someone else. Then, if they were so inclined as to de-uglify the community, they could invest the added cost and effort to tear down and dispose of the fence, and then plan out and plant border plants (in my case, lavender) to make it nicer. When combining the expense and effort I put in with this added effort, we get significantly higher cost and effort than if I just go with this plan outright.

Similarly to the "doing it wrong the first time" pattern, my kitchen was built with a wide opening. I came in, cut down a wall, built across a half-height wall, moved a counter, and now my kitchen has 30% more floor space, 150% more cabinet space, 150% more appliance space. To do this initially would have taken an extra 90 minutes and $378; for me to do it as-is took 14 days of working time and an additional $1200, not including removal costs of excess materials from demolition.

So you see, this sort of "do it and do it over again" working behavior makes the community poorer. Rather than investing a few extra hours of time in multi-thousand-hour projects, we save 10-15 hours across years and create an additional several hundred hours of review and merging into diverging code bases, along with the increased risk in bugs as the code bases diverge and get features mutually migrated across, requiring additional labor for further review.

But we do get to tell people we're not doing a giant ego wank, and instead are doing what's best for the community.

Re:Or..

of course it was a sarcasm ... I should have put a tag I guess

my point was, and remains, that in his hatred of OpenBSD, bluefoxlucid seems to think that because OpenBSD do LibreSSL for them, it will never become multiplateform when we have an excellent troll-proof example, OpenSSH, that the whole process already happened once.

Re:Or..

[Just+Some+Guy]

But their "JUST an OpenBSD implementation"s seem to be imminently portable to other platforms with minimal work. See OpenSSH as perhaps the shining example of this. If I were porting code to a new platform, I'd rather start with something from the OpenBSD guys than just about anyone else. That's why I donated to the project this morning.

Re:Or..

[ChunderDownunder]

Once the code is re-ported and re-imported into the (diverging) OpenSSL base, it will require an additional audit.

This is a permanent fork akin to KHTML -> Webkit.

There is Buckley's chance OpenSSL will survive in any relevant fashion in its original form.

Re:Or..

[ChunderDownunder]

sarcasm, hold your fire.

Parent is saying Theo and team are worthy stewards of ssh and will again be so regarding ssl.

Re:Or..

But we do get to tell people we're not doing a giant ego wank, and instead are doing what's best for the community.

You did what was best (or so you thought) for your community

They're doing what is best (or so they think) for their community

your point is moot

Re:Or..

[serviscope_minor]

That's part of the initial work.

I'd say that's a good fraction if it.

Once the code is re-ported and re-imported into the (diverging) OpenSSL base

Who says they're going to do that? Much more likely that LibreSSL will be an API compatible alternative. They're only going to re-integrate if LibreSSL clean up which essentially means removing a huge amount of dead code. Which is what the OBSD people are doing.

it will require an additional audit.

Good job they're not doing it then.

Things like Frama-C produce reports on impact analysis--you changed one line in one function and it affected 15% of your entire 2 million line code base.

That sounds like poor design. The OBSD people are world class experts at producing secure, audited OS level C code.

Decades of research indicate that doing something not-quite-right the first time and then going back and redoing it requires more labor than doing it right the first time.

Who says what they're doing is wrong? They're making it for OpenBSD, but OpenBSD is not a whacky system. Besides it's much easier to make sane changes against a small, well written codebase than it is to make small changes against a hairy hoary mess.

The argument is that this other strategy reaches a given end state with less total work.

Actually, no your argument was that the OBSD developers were penis waving. Ignoring that for the moment, they're trying to get down to a small audited core. This means ripping out everything that harms that goal leaving behind a small, well organised core.

Perhaps it is better to make the core more portable than go for OBSD only then see what breaks when it's being ported. There are basically a few options here: try to fix the old codebase without breaking portability (very hard), make it sane first (what they're doing now) and make it sane without sacrafiacing portability.

The middle option is the least work, and this happens to be what they're doing. It's also the only option which aligns with their goals---not only is OBSD of personal interest to these people, but it would be deeply unethical of them to use OpenBSD funding to work on other operating systems.

However they're not being dicks about it and they're not going to make life hard for you if you want a portable version: they'll even integrate it right now if you have the changes.

They're making a political move. To argue directly against your argument, I would have to argue for the closing of the OpenBSD project entirely.

So basically, you think that Theo de Raadt, who has put a vast amount of his own time and effort into this should just stop because you say so? Are you for real?

I have instead provided a counter-argument that they could, you know, contribute to the community at large instead of to their own ego.

They provide one of the most secure OSs ever made completely for free for anyone who wants. How is this not contributing to the community? They also provide OpenSSH(d), the most widely set of ssh tools in the world. Again how is this not contributing to the community? Finally off their own backs they're doing a complete stripdown and audit of the most popular SSL library free for anyone to use. Not only that, they'll even keep it up to date. How the fuck is that not contributing to the community?

But no, you're suggesting that Theo and crew should just give up and contribute *DIRECTLY* to you. I doubt de Raadt even owns a Windows or Linux machine. Why and how do you think he would do portability to those systems?

Your sense of entitlement is *incredible*. Truly, I've been flaming on the internet for years and yet you are possibly the most entitles person I've met.

This is a think-of-the-children move. "Look how bad these OpenSSL people are! We're going to do a bunch of work to make things better

Yay! That's fantastic news! They're ripping out ancient and hideous VMS compatibility code and other e

Re:Or..

[serviscope_minor]

Actually, in my community...

So? I don't live in your comminuty. I live elsewhere so what you did there is useless to me. So, come over to my place and fix it up. No, I *DEMAND* you do, or I shall say mean things about you on the internet. In fact I shall say exactly the same silly things about you being a selfish bastard and how fuck me and basically all the same silly things you're saying about the OBSD developers.

Basically you're whining about how they're not (metaphorically) flying 5000 miles to fix up a house in your community and in your defense you're saying you are a good person because you fixed one in your community so it doesn't matter that you didn't fly 5000 miles to fix mine.

So either come and fix my house or stop complaining that the OpenBSD people aren't fixing yours.

Similarly to the "doing it wrong the first time" pattern, my kitchen was built with a wide opening.

Your analogy is poor. I better analogy would be ripping out the kitchen completely and then fixing all the rotten beams underneath it, then doing a complete structural survey to make sure it's not going to callapse all of a sudden in the future. All that is expensive and hard no matter what.

That fact that they're putting in just enough support material to get it running in one place (or if you like, tacking a few power sockets and basic plumbing) is not going to prevent yourself from building a lovely completely flawed analogy on top of this.

But we do get to tell people we're not doing a giant ego wank, and instead are doing what's best for the community.

Just like you with your dubious story at the beginning about you you improved your local community, the OpenBSD people are doing exactly the same with their local community. And you're whining because they're not putting in even more time to fix yours as well.

So, the offer stands: if you come and do my garden for me for free at your own expense then I'll accept your point that the OpenBSD people should do more free work for you than they're already doing.

Re:Or..

[thoth]

I'd much rather see the OpenSSL project itself get cleaned up

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

OpenBSD is a group that says - we are relying on this code that is totally busted, let's fix it - and they prioritized their OS first. I don't see a problem with that. OpenBSD is already making their work publicly available for free, they don't have the onus to actually provide bullet-proof solid code for every platform on the planet. Turns out other OS hackers need to roll up their sleeves too, and fork over some cash to support the effort.

Re:Or..

[Dancindan84]

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

Except for a lack of manpower and funding, which this fork is splintering even further. And the vague way that they say they're cleaning up OpenSSL when what they're doing is in fact forking it honestly strikes me as misleading. I don't mind that their out to make an OpenBSD specific fork of OpenSSL per se, just that if I'm going to fund something I'd rather fund getting it fixed for everyone.

Re:Or..

I'd much rather see the OpenSSL project itself get cleaned up (or forked/restarted for "everyone" if the code needs more than cleanup) than have it forked and cleaned up for JUST an OpenBSD implementation.

Where are your diffs?

Re:Or..

I have instead provided a counter-argument that they could, you know, contribute to the community at large instead of to their own ego.

You're very generous with others' time. Where are your diffs?

Re:Or..

[bluefoxlucid]

Except that OpenBSD's code base won't be made to work on anything not-OpenBSD, and has been stated to break unless someone pays OpenBSD to not break it. So there will either be continuous chance of breakage unless people pay continuously, or there will be a fork of the fork--which will turn into people porting it back into OpenSSL.

The continuous chance of breakage isn't visible now: they said they'd make it OS-agnostic if people pay; they didn't say they would put continuous effort thereafter into keeping it that way, but they didn't say they wouldn't. They've hinted, thus, that they want cash rather than developer contributions; and that OS portability is not a goal of the project, but rather a thing done under a sort of social agreement which can be lubricated with something called "currency". These terms are worrying, as they hint that LibreSSL development may continue recklessly after being re-based as platform agnostic, and thus may again break by happenstance, and perhaps will not unbreak as this is not a goal of the OpenBSD developers writing LibreSSL, but it could be if you provide more currency.

So it's wasteful. It may be hostile.

Re:Or..

[bluefoxlucid]

Things like Frama-C produce reports on impact analysis--you changed one line in one function and it affected 15% of your entire 2 million line code base.

That sounds like poor design. The OBSD people are world class experts at producing secure, audited OS level C code.

Ah, I see you don't understand how programming works.

Let's say you have a function. And you call that function. It does one of two things: either it modifies an object passed to it, or it modifies global state (global variables, etc.)

When you modify an object, every function which does something with the part of the object which has been modified is affected. If you can show paths whereby changing this code changes the behavior of this other code, which has an impact on this other code, then you have spread impact. For example: if your modified function computes a boundary condition, modifying a line of code which controls how the boundary condition is computed has an impact on every function which uses that boundary condition.

So when you modify, say, a certain data packet handler that produces a certain object, then every function that handles that object is impacted. You modify one line, and 50 functions are impacted. The data that they see could be different, as it's computed in a different way--a more efficient way that's identical, perhaps (unit tests can show this); or a different way which fixes a bug, changing the data set in some conditions, which impacts what data those other functions will get in practice.

That means merging code between divergent code bases has far-reaching implications.

That or install OpenBSD. And I can assure you it would be less work for you to port it than the strip down and audit in the first place.

There is a 100% chance that the work required to fix OpenSSL as-is and keep it portable between OSes is substantially less than the work required to first fix OpenSSL with reckless abandon and make it non-portable, then go back through and pick it apart and work out how to make it portable again.

That means this is a waste of development effort. It should be done correctly the first time, not done wrongly the first time by a bunch of whiny babies throwing a tantrum.

Basically yes. They're giving awesome stuff away for free. If you don't like it you can simply pretend it doesn't exist and you've lost nothing.

Right. The OpenBSD developers are worth nothing.

Re:Or..

[bluefoxlucid]

Basically you're whining about how they're not (metaphorically) flying 5000 miles to fix up a house in your community

I'm arguing that they're (metaphorically) a part of a community, and that they're doing substantial work, but they're doing the work in such a way that the community which they are a part of will need to do substantial additional work to benefit from it. If they were to do the work slightly differently, they would not do substantially more work, and yet the whole community would face great benefit.

It's basic economics.

Re:Or..

[BitZtream]

No. The OpenBSD team will make it OS agnostic and it will work on OpenBSD, making it OS agnostic doesn't mean they'll port it to other OSes, they do it for themselves. Its pretty fucking retarded that you think they should do it for you for nothing.

Re:Or..

[bluefoxlucid]

Like Internet Explorer is OS agnostic, it's just not ported to other OSes.

Anyway it's irrelevant. In 5 weeks no one will even remember LibreSSL was a thing.

Re:Or..

[serviscope_minor]

Let's say you have a function. And you call that function. It does one of two things: either it modifies an object passed to it, or it modifies global state (global variables, etc.)

one of 3 things. It can also compute something based on the data passed to it and not modify the data passed. That's functional style, and is generally considered good practive. The fact that you made such an elementary error after saying:

Ah, I see you don't understand how programming works.

amuses me.

That means merging code between divergent code bases has far-reaching implications.

who says they're merging back? If they are then your whining is for nothing since it will be merged back. If not then your point is moot.

There is a 100% chance that the work required to fix OpenSSL as-is and keep it portable between OSes is substantially less than the work required to first fix OpenSSL with reckless abandon and make it non-portable, then go back through and pick it apart and work out how to make it portable again.

You make this assertion, so prove it. The open BSD people are good programmers so they likely do not scatter OS dependenies throughout the code, but keep them cleanly at boundaries.

That means

No, because your assumption is faulty, your conculsions are unsupported.

The OpenBSD developers are worth nothing.

says the man who never uses SSH and never used a machine administered by ssh.

Re:Or..

[serviscope_minor]

I'm arguing that they're (metaphorically) a part of a community, and that they're doing substantial work, but they're doing the work in such a way that the community which they are a part of will need to do substantial additional work to benefit from it. If they were to do the work slightly differently, they would not do substantially more work, and yet the whole community would face great benefit.

No, you're full os shit basically. They're doing a huge amount of work. They're going to write portale code because they are good programmers but not going to to the porting---just like openssh. They write good solid portable code, other people port it, everyone wins.

It's basic economics.

It's funny hoy you cite "eonomics" as your argument for why people should give you free stuff. Here's a clue: pay them and they'll do it.

Re:Or..

[serviscope_minor]

Like Internet Explorer is OS agnostic

Da fuq?

Do you like making up lies to support your point, or do you actually believe the drek you're posting?

Anyway it's irrelevant. In 5 weeks no one will even remember LibreSSL was a thing.

No, your point will be irrelevant because someone will port it and LibreSSL will start replacing OpenSSL.

Re:Or..

[bluefoxlucid]

one of 3 things. It can also compute something based on the data passed to it and not modify the data passed. That's functional style, and is generally considered good practive.

And then you don't store that data anywhere, so that function doesn't impact any of the other code anywhere, because it doesn't impact any value that's passed on through the program, right?

Re:Or..

[bluefoxlucid]

who says they're merging back? If they are then your whining is for nothing since it will be merged back. If not then your point is moot.

The libav people go to the ffmpeg repos, get code, and merge it into ffmpeg. Same with vice versa. Do you think only OpenBSD LibreSSL developers could merge code back to OpenSSL? Probably someone else is going to pull the code from LibreSSL and merge it; otherwise wouldn't OpenBSD LibreSSL developers just be OpenSSL developers?

Apparently you don't understand how programming works as a group process either, or how community dynamics in open source software work, or something. Somewhere you've failed to figure out how code gets from one place to another.

Re:Or..

[bluefoxlucid]

You assert that LibreSSL is OS agnostic even if it works only on one OS. Well, Internet Explorer only works on one OS, so it's OS agnostic too.

Re:Or..

[Dutch+Gun]

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

Except for a lack of manpower and funding, which this fork is splintering even further. And the vague way that they say they're cleaning up OpenSSL when what they're doing is in fact forking it honestly strikes me as misleading. I don't mind that their out to make an OpenBSD specific fork of OpenSSL per se, just that if I'm going to fund something I'd rather fund getting it fixed for everyone.

Unfortunately, the OpenSSL team has demonstrated that they're unable to properly maintain a large codebase. Lack of funding does not turn your coding into a nightmare. That comes from a lack of leadership and coding discipline. The OpenSSL team decided that it could no longer rely on them to turn that project around, and has made the only decision that really makes any sense for them, considering their position.

The big question for me is how serious they are about supporting / developing proper compatibility layers. I was concerned when I hear about them ripping out compatibility code, but in thinking about it, I'd probably take the same approach. First start with your own native platform and write straight C / posix as much as possible, and then add a proper compatibility layer (meaning NOT just a bunch of platform #ifdefs scattered around the code) later.

We'll see how it shakes out, but I wish them luck in their endeavors. It will be interesting to see what comes of this. In the meantime, however, we should keep in mind that a lot of people still rely on OpenSSL, and will continue to do so until there is a viable alternative. Maybe this will motivate the OpenSSL team to clean up their own act in an attempt to avoid becoming irrelevant. Competition is, I think, a good thing, even among FOSS software project.

Re:Or..

[bluefoxlucid]

They're doing a huge amount of work. They're going to write portale code because they are good programmers but not going to to the porting---just like openssh. They write good solid portable code, other people port it, everyone wins.

Most peoples' definition of "portable code" is that it's, you know, portable. It runs on multiple platforms. Write once, run across all substantially-similar systems. For example: Unix utilities running on the POSIX platform are portable because the exact same unmodified source code can be compiled on any POSIX platform against the standard POSIX system headers and linked with the standard libraries and run. Much portable code also has OS specific performance enhancements: it may take advantage of an OS facility that is non-portable if available. Non-portable code is written in such a way that it must be modified to compile on other operating systems using standard, portable interfaces--a non-portable OS facility is used in all cases, and if not available then you cannot compile the code.

Your fallacy: Equivocation, the informal logical fallacy of calling two different things by the same name. In this case, "portability" (the ability to simply carry one thing from one place to another--in programming, the ability to compile unmodified code on various platforms which supply a standardized API) and "porting" (the act of making a thing portable--in programming, the act of rewriting non-portable software to be more portable by making it compile on additional platforms).

It's funny hoy you cite "eonomics" as your argument for why people should give you free stuff.

Yes. It's called wealth production. You see, if you use 1 unit of labor and produce 1 unit of output, you have created 0 wealth. If you use 2 units of labor and produce 1 unit of output, you destroy 1 unit of wealth. If you use 1 unit of labor and produce 2 units of output, you create wealth.

As I've explained, it takes some units of labor (effort, work) to fork a code base, greatly improve it in a way which makes it non-portable to the platforms the original code base was portable to, and then apply additional labor to modify the result to again make it portable to the same original target platforms. It takes some fewer units of labor to simply retain portability as you make the improvements. The end result of both of these strategies is the same; however, the second strategy requires fewer units of labor input--it destroys less wealth in the process of creating the same wealth output, thus it is economically more efficient.

Think about if you paid $10,000 for a car, then paid $1000 for new tires and $3000 to add a V6 engine to replace the I4. Now consider if instead you paid $12,000 for the higher model which comes with the upgraded tires and the V6 engine. In both cases you get the same car; however, in one case you get it for $14,000 and in the other you get it for $12,000. In the first case, additional labor is used to install, ship, and then remove the original equipment, which is then replaced with new equipment which must be installed and shipped. The first install-ship-remove cycle (and any re-shipping to get those parts to another place where they are useful) is avoided by doing it right the first time, which is where the $2000 savings in this example comes from (we assume in this model that the automaker uses a static margin model, where everything is produced and then has a certain marginal profit slapped onto it).

Why would you waste effort making additional work?

Re:Or..

[Desler]

Were any of the OpenBSD people previously OpenSSL contributors? If not there is no splintering at all it's simply another group of people taking the reins.

Re:Or..

[St.Creed]

Spouting logical fallacies really don't help your argument. Noone said there was a causal relationship between being available on one OS and being portable. In fact, GP claims exactly the opposite.

Re:Or..

The OpenBLD team can always contribute fixes to the version that OpenSSL maintains.

Sure, but they see no point. Why don't you contribute to OpenSSL instead of demanding that others only do what you think they should do? In all the time you spent whining you could have usefully contributed to OpenSSL.

Re:Or..

PolarSSL is not API-compatible. It would require rewriting tons of third party software to replace OpenSSL with it.

Re:Or..

[serviscope_minor]

hehe

you don't know about functional programming, pure functions and immutability and you want us to take your word for anything about maintaining a crypto library?

lolz are in order I think.

Re:Or..

[chriscappuccio]

The OpenBSD version of this library should work on any modern unix system with minimal to no change at all. The code being removed affects VMS, Windows, OS/2, and other systems. Even modern versions of Windows should require less hacks to work properly these days. The HUGE amount of workarounds, abstractions and obfuscations to support these ancient/useless systems are nothing but a hindrance to bug-free TLS support.

Re:Or..

[chriscappuccio]

Their format of the code is horribly broken and hard to read. Who really fucking cares what they want?

Re:Or..

[viperidaenz]

How about if you want to fork OpenSSL, you do it.

If OpenBSD want to fork OpenSSL, let them and stop bitching about it.

Re:Or..

[serviscope_minor]

As I've explained, it takes some units of labor

No, as you've asserted repeatedly without the slightest shred of evidence.

Think about if you paid $10,000 for a car, t

Blah balh, but you're not paying, you're asking them to work for you for free. Ain't gonna happen, leech.

Re:Or..

[gatkinso]

All together now, say it with me... "shim."

There! That wasn't as hard as we thought!

Re:Or..

We need more implementations of SSL that are available free; not less.

In the same way that the whole internet didn't get fried because Windows wasn't vulnerable to Heartbleed, we need more different implementations of SSL with code different enough that the same bugs don't apply.

Hopefully LibreSSL change the code so much that bugs in that don't apply to OpenSSL, and vice versa.

  I am personally hoping they change it so much that changes in LibreSSL are completely and utterly incompatible with OpenSSL. So that we don't end up as fucked as heartbleed made us. Seriously.

Re:Or..

[the_B0fh]

And? If you want it for your pet OS, you can write your own. Or you can pay someone to port something to your pet OS. And if you want to pay someone, go ahead. Nobody owes you anything.

Re:Or..

[the_B0fh]

He already stated that he has issues with Theo. That would explain his warped view of things.

Re:Or..

[the_B0fh]

Are you fucking retarded? The OpenBLD team can always contribute fixes to the version that OpenSSL maintains.

How? Did you see the number of changes and fixes already made? The OpenSSL team already said they can't handle it.

But hey, you're right, they should totally create a vendor-locked version of an extremely critical core Internet security technology and then tell people that they can either pay up or do the work to vender-unlock their non-portable code themselves. Selfish fucks.

"Hey, your shit stinks. If you can't fix it, I'll need to clean it up for my own use" and they're selfish fucks? You have a fucked up view of the world. Nobody owes you a damned thing. You are welcome to use OpenBSD if you want a safe secure version of ssl. If you don't, then don't. If you don't want to use OpenBSD, then go and pay someone to do it, or do it yourself.

Let me repeat that - nobody owes you a damned thing. This is a labor of love. They do not love what you love. They do not have to love what you love.

You are the fucking selfish fuck.

Re:Or..

[hobarrera]

I'd much rather see the OpenSSL project itself get cleaned up

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

There is something stopping them - that they're clearly incompetent and can't write secure (or even decent) code.

Re:Or..

[hobarrera]

They targeted their OS first. Everybody does that. Do you target ALL platforms when you write software, or so you target your own first, and when it works, test on others?

Re:Or..

[bluefoxlucid]

You're missing a large point here: function 'int getBoundaryLength(myObject *p)' returns back a piece of information about boundary length. A lot of things use boundary length, and boundary length is stored in a variable 'L = getBoundaryLength(p)' which gets passed around and assigned to things in objects (structures, classes) and subsequently used by other functions such as 'int copyBuffer(char *d, char *s)'.

Modifying how getBoundaryLength() produces its return value has an impact on all of this code. Buffers allocated on that length passed to other functions may be too short; copy operations may be too long. These are things you must verify. So a one-line modification to a function can have huge, sweeping impact across your program.

You can pretend you know more about programming because you think you've invented a way for modifications to one function to have no impact on any other part of the code; but if you ever achieve that goal, gcc has a "dead code eliminator" which removes your entire function, unless it's exported and thus gcc can't verify that nothing else calls it to useful effect.

Re:Or..

[bluefoxlucid]

Did... did you just argue that work doesn't take any units of labor? That there's not a shred of evidence that you need to actually do something to produce output?

You just argued that the world is magic and things rise out of the ether.

Re:Or..

[bluefoxlucid]

I target all platforms and avoid using any OS-specific facilities outside of #ifdef blocks, unless I'm writing something specifically for an OS that requires a particular facility (I.e. to enhance the OS, say like udev). Often I leave this to the people who wrote whatever Python modules I'm using these days.

Re:Or..

[serviscope_minor]

Did... did you just argue that work doesn't take any units of labor?

No, but you're apparently too dim to either remember your own arguments or comprehend mine. I'm arguing that you have no shred of evidence that the stripdown, audit, then port is more work than trying to clean the current code base other ways.

You keep claiming this but have no evidence.

You just argued that the world is magic and things rise out of the ether.

Like you? You're the one who keeps arguing that the OpenBSD people should do stuff for free because it would be better for you if they did. All I can say to that is no shit, sherlock, but it ain't gonna happen!

Re:Or..

[bluefoxlucid]

Oh I see. You're trying to ask for evidence that the sky is blue. Got it.

(It is considerably well-known that doing things to achieve the final goal in the first pass is vastly more efficient than doing things haphazardly with disregard to part of an end goal, then going back and adding the remaining requirements and redoing the work to fit with them. This is the basis for some archaic and probably outdated behavior commonly known as "planning".)

Re:Or..

[hobarrera]

That's easy to say for python and other high-level languages, but a lot harder for something in C. Especially due to a popularity of non-POSIX OSs out there.

Also, even if you do what you say, you still target and test your own platform first, and only start making sure it works on others once you have it working. Or do you test your code on all your target platforms from day 0?

Re:Or..

[bluefoxlucid]

Hint: Python doesn't have #ifdef blocks.

You do understand that POSIX and standard C libraries are essentially universal, and that OS-specific facilities are less-universal, right? POSIX compatibility gets me all BSD, AIX, System V, HPUX, Solaris, and OSX platforms; but I usually validate anything non-trivial against what's sane for Windows, if Windows is an eventual target. For something like a system allocator, Windows may not be a target: you can't really replace the system allocator anyway, whereas your allocator could get adopted by various libc implementations. For something like a MIDI sequencer, the choice of wxWidgets and portable middle-layer libraries or the cautious use of gtk+ facilities portable across all systems is usually a consideration.

From Day 0, I consider anything I do in my code against what my target platforms will be, and what facilities they are likely to not share. For example: All Unix systems are likely to share malloc() and mmap(). They're unlikely to share inotify or kevent facilities specific to Linux, which one should implement with caution. Likewise, relying on specialized system behavior is a big problem: a lot of people relied on the size of ints and longs, whereas I've always used uint32_t or int64_t or whatnot when the size had some real importance (i.e. in OpenSSL, that TLS heartbeat is a 16-bit value; you'd better not use 'unsigned short int' to refer to it, but rather 'uint16_t' from C99).

I learned C after I learned assembly. It seems unnatural to not consider the full impact of your programming code.

Re:Or..

[serviscope_minor]

(It is considerably well-known that doing things to achieve the final goal in the first pass is vastly more efficient than doing things haphazardly with disregard to part of an end goal, then going back and adding the remaining requirements and redoing the work to fit with them. This is the basis for some archaic and probably outdated behavior commonly known as "planning".)

First no. The old code base is such a mess that working with it is hard. This kind of thing can only be evaluated on a case by case basis.

Secondly the OpenBSD developers are good enough and smart enough to keep the OS speific stuff in a nice thin layer which makes porting easy. They will write easy to port code but not actually do the porting themselves.

Re:Or..

[serviscope_minor]

Modifying how getBoundaryLength() produces its return value has an impact on all of this code. Buffers allocated on that length passed to other functions may be too short; copy operations may be too long. These are things you must verify. So a one-line modification to a function can have huge, sweeping impact across your program.

Good god if you're doing it like that no wonder you think the effort is doomed.

If you make sure every function maintains its invatiants ad postconditions then given valid input data, you can be sure the output is always valid. There are ways of construting code so that it's easy to make sure the preconditions are always maintained. The audit will make sure that these easy methods are used throughout. Things like strlcat for example always guarantees null termination.

Then there are many ways of modifying the code such that you don't have to check everything.

In the most extreme case you an prove the code correct. Once proven correct a function cna never mysteriously become incorrect. It doesn't matter what it does, it will always be correct.

A lot of modern software design is about decoupling things so that you don't have to laboriously check the entire code base every time you make a small change.

Re:Or..

You are the fucking retard if you think you are in any way entitled to the OpenBSD devs' work. And let's not even talk about obligating them to do even more work for your shitty OS or for "everyone's requirements". Nobody can require shit from them. Only lazy and selfish fucks like you think they can. The code is there, stop being a lazy and selfish fuck and do the work and share it with other lazy selfish fucks if you care. Hell, you can even take the bugfixes and contribute them to OpenSSL.

But you are too stupid. You probably think porting the code is difficult, you think the OpenBSD people completely broke it because they have zero concern for other OSes. You are so fucking ignorant it makes me want to vomit on people.. no, not people, I mean trolls.

Re:Or..

> They're putting in some effort to grow the carrot, but they've decided to plant their carrot field atop a mountain

Not a mountain. Up a short flight of stairs. If you are 95 and in a bad shape, you might have to stop and pant every few steps, but you can make it. If you're in a wheelchair, sucks to be you. Maybe someone can help you.

You think it is hard to port to Linux or whatever shit you use. You think wrong, because you're fucking ignorant.

But the OpenBSD developers have their priorities. Because they are developing OpenBSD. They are working on their own fucking OS. If they were battling Linux/OS X/Windows/shit, they wouldn't get any work done on their fucking os, on their fucking fork of the library they decided to clean up. They develop it on OpenBSD. They build it on OpenBSD. Do you seriously expect them to run every other OS and test every change on it? It takes time and effort you know. Oh wait, you don't know. Because you are such a slimy impatient pile of rotting elephant shit dangling from the ass hair of a dog who accidentally sat on it, and you do not understand that serving you is time taken away from improving the fucking code you want so hard.

Re:Or..

> That means merging code between divergent code bases has far-reaching implications.

Who gives a goddamn shit. Nobody is merging shit. LibreSSL is a new fork, you use it or you don't.

And no, a portable version of LibreSSL is hardly a divergent code base. It's just a build system that pleases GNU cocksuckers, plus a few library functions GNU cocksuckers refuse to include in their libcrap, maybe a shim or two around some Linux specific API that should be used for some specific thing. Maybe a few ifdefs to disable openbsd specific functionality and enable the linux shim instead.

You spout a ton of nonsense because you have never looked at the ports of userspace OpenBSD utilities. You have not looked at the code, so you don't know what you are talking about. You are fucking stupid.

I could port libreSSL for your Linsux in fifteen minutes if it didn't take a week to install and configure whatever pile of shit distro is the fad now.

Re:Or..

[rubycodez]

you seem to be ignorant of fact openssl didn't want to take the fixes or to be instructed on how to properly implement code. this was done out of frustration the openssl's teams lack of willingness to do things correctly or be corrected

Re:Or..

[rubycodez]

like the OpenBSD's team's openssh isn't ported to other OS? like every single commit of the fixes their are making on openssl aren't on globally public web servers? oh wait, they are... you must be totally full of shit

Re:Or..

[hobarrera]

All those points those considerations you say you take are being taken by the OpenBSD team. But they still haven't released ports for other OSs, because they target their own first. Much like what you describe you would do.

Of couse that the code they have right now may work on other OSs. But they've made no official release since they haven't targeted them yet.

Re:Or..

[bluefoxlucid]

This kind of thing can only be evaluated on a case by case basis.

In the same way that 6,880 pound kerb weight gasoline V8 pickup trucks with 400HP engines getting worse MPG than 3,220 pound kerb weight V6 passenger vehicles with 220HP can only be evaluated on a case-by-case basis.

I'm sorry but I'm going by scientific basis here, by known principles that have been put into practice, re-examined, and attacked repeatedly by method (agile project management is one such method to attempt to make repeating work less of a problem; it does reduce the problem and reduce risk compared to waterfall for projects which have high risk, but it still doesn't make parity). It simply takes less effort to consolidate multiple tasks into single tasks, for example the task of understanding a code base (as you write it) and ensuring cross-platform portability requires two passes: if you implement portability later, you have to re-examine the code base, find non-portable code, then re-envision how you want to write this code so that it meets requirements both old and new. That same work is done the first time you write it, just with different constraints and more mass output; doing it this way the first time eliminates the difference.

I guess you like to drive to the super market and spend 2 hours shopping for detergent, eggs, bread, yogurt, flour, pasta, sauces, cheese, and produce; and then drive home and go out for another 15 minutes to the corner store to get milk. Me, I'll take the 30 second diversion to grab the milk while I'm grabbing the yogurt at the super market.

Re:Or..

[bluefoxlucid]

You just don't get it. You're assuming that a function is perfect, that its code is provably correct. Well, we were originally talking about integrating new, not-broken, correct code into a code body which is incorrect, so that assumption is immediately useless here. Further, if your code is correct and perfect, why would you come back to modify it?

We're coming in to clean up bugs. Now we're taking code and integrating it from one changing code base into another changing code base. The new code may work properly, while the old has corner cases that break synergistically: some body of code may work properly only in the presence of a defect in some other body of code. Microsoft Windows' source code was published a decade or so ago, and it was rife with this--hacks on top of hacks.

Do you honestly think that this can be done by just "checking the function for correctness"? You've integrated some correct code from another codebase which now makes this part of your code correct. Unfortunately some other part of your code now fails and, in the most extreme cases, we've created a new exploitable condition!

So now you have to go back and assess impact. By changing this function, you change a lot of other code. That code has the same logic, but different data coming to it--it's the same cog shoved into a different machine. You can do analysis to see if your new function does anything different than the old function, if the conditions its output precipitates on can now produce different output. If you can't prove that it doesn't produce different output in some situations, then you must now assume that your program changes may have wide impact. This includes if your output may be between 1 and 255, and it is, but it may return 47 instead of 42.

You can reduce the probabilities, but you cannot eliminate the risk. OpenSSL merging LibreSSL code without doing impact analysis and making sure the new code doesn't open new vulnerabilities will incur risk. Hell, LibreSSL will face the risk of creating new vulnerabilities as it goes, so you may eliminate 100 problems and cause 1 and that's okay because you are 99 problems better. The risk OpenSSL faces is greater, because they may import defective code from LibreSSL, or they may import code that works but which is no longer broken in such a way as required by other (still broken) code present in OpenSSL but no longer in LibreSSL.

Re:Or..

[bluefoxlucid]

OpenBSD didn't outright state that they're going to port OpenSSL to other OSes when they get some money. They did outright state that they're not going to make LibreSSL portable until they get some money. But thanks for showing the fallacy of equivocation.

Re:Or..

[serviscope_minor]

I guess you like to drive to the super market and spend 2 hours shopping for detergent, eggs, bread, yogurt, flour, pasta, sauces, cheese, and produce; and then drive home and go out for another 15 minutes to the corner store to get milk. Me, I'll take the 30 second diversion to grab the milk while I'm grabbing the yogurt at the super market.

Well to use your thoroughly butchered analogy, it's like the corner store being a couple of doors down. It's no more effort to park at home then walk to the store than it is to park at the store, then get back in, move the car 20 yards and then park again.

Re:Or..

[serviscope_minor]

Your point holds if OpenSSL are going to merge the changes back. I don't think they will, since they haven't merged in some bugfix patches that have been outstanding for years.

The whole point is about porting. They're writing it OpenBSD only. Assuming they know (for instance) strlcpy is correct, then can audit the rest of the code for correctness. When they find a platform without strlcpy (hello Linux!) someone can plonk in a correct strlcpy implementation and hey presto the thing is still correct throughout.

Porting well designed code is not that hard. The differences are going to be on things like missing functions (strl*) and socket differences. Once you make sure those bits of interface code are correct and you know you've checked everything else for correctness, then you know that the combination is correct.

Just because you've changed the socket code, and that might change the data doesn't mean you have to check everything else in the codebase that uses the data. Once you're sure your socket code is meeting the exprected preconditions that everything else expects then everything else will remain correct.

Re:Or..

Add a shim and you are set.

polarssl is gpl2.

Re:Or..

OpenSSL now has all the funding and manpower is can use. It is in danger of being taken over by MS, Google and all the other big companies pledging money and programmer time.

captcha: dragons. How fitting

Re:Or..

WTF????

It returns a modified copy of the data that was passed into it.

Functional programming is not hard and it removes about 80% of the problems in imperative code, for free.

Re:Or..

OpenSSL can't be swapped to BSD license, except by the license holders which the BSD circle jerk team are not.

Re:Graphic design geniuses too

[marcello_dl]

They never claimed they were.

Re:Graphic design geniuses too

There's something at the bottom of the page.

"This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"

Re:Graphic design geniuses too

[QilessQi]

This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.

Re:Graphic design geniuses too

It put ME in a better mood and so I donated even more. I'd say it's genius!

CAPTCHA: patrons

Good Guy Theo

[nimbius]

finds out openssl is bollocks,
radically refactors and overhauls millions of lines of code.

as for the LibreSSL team, might i suggest some music?
http://www.openbsd.org/lyrics....
http://www.openbsd.org/lyrics....

Re:Good Guy Theo

[gweihir]

They already have music under the "OpenSSL" link on the LibreSSL webpage. Seems they are ahead of you ;-)

Re:Graphic design geniuses too

[Threni]

Who thinks it's important? Who'll decide to switch or not based on a font on a website? Why?

Re:Graphic design geniuses too

[benjfowler]

I'd say it's puerile -- and a bit alarming, considering these people are building something so important to the continued health of the internet.

Re:Can they do OpenSSH too?

They DO OpenSSH. And other projects: http://www.openbsdfoundation.org/

Please change the API

Another problem with OpenSSL is its hideous API - huge, inconsistent, poorly documented, and exposing way too many low level protocol details that should be handled internally by the library, not by applications.

Re:Please change the API

[chriscappuccio]

That will take time. The first versions will try to be API compatible because of the huge base of existing software. The future will see incremental API improvements as people learn from their experiences.

Re:Graphic design geniuses too

Comic Sans.

That looks professional.

"This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"

Har har...

Re:Graphic design geniuses too

[Huntr]

Helpful disclaimer at bottom of that page:

This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags.

Sane licence

Now if only libressl could have a sane licence that wasn't GPL-incompatible :(

Re:Sane licence

It's the GPL that is incompatible by design with other licenses.

Please don't

[duke_cheetah2003]

Don't fork SSL, we need to keep one standard, I'd think. This is a bad idea. These resources could be used to improve OpenSSL directly.

Re:Please don't

[Kardos]

It's not a bad idea. OpenSSL has become unwieldy, which has been known for quite some time. A major refactoring is long overdue. Does it matter if the project changes name? OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

> Even after all those changes, the codebase is still API compatible.

It's going to be a drop in replacement for OpenSSL. Same idea as the MariaDB fork of MySQL. Where is the "bad idea" here?

Re:Please don't

Oblig XKCD

Re:Please don't

Where is the "bad idea" here?

A fork is alien to the OSS concept. If you are not happy with direction and quality of current maintainer and code, and think you can do better, you shouldn't just fork it and do it. Who have ever asked you to do that with OSS?? You should work with the provider and hope that helps.

Re:Please don't

[jeffmeden]

OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

Rather, they apparently don't (hence the donations plea). What they do have time for is forking OpenSSL, cutting out the stuff they don't care about, and slapping each other on the back for giving OpenSSL a good poke in the eye.

Re:Please don't

[serviscope_minor]

Don't fork SSL

They're not.

we need to keep one standard

They are.

This is a bad idea.

It's not because your assumptions bove are faulty.

These resources could be used to improve OpenSSL directly.

That's exactly what they are doing. But they're forking OpenSSL because they want to do it their way.

Re:Please don't

[upuv]

SSL is the standard.
OpenSSL is an implementation
LibreSSL is an implementation

The standard isn't forked.

In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.

This isn't a bad thing.

SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.

Re:Please don't

Why not fork it? The current maintainers are obviously fuckups when compared to Theo's crew.

I live in the US (for which Theo has had a few choice words), I don't care for his acidic attitude at times, but he is an effective leader and software engineer. I *trust* him specifically due to his distrust of so many who buy into the status quo.

In addition, I think we should have a IndieGoGo or Kickstarter campaign to run background investigations into each new core LibreSSL team member for NSA links just like the TrueCrypt folks who are trying to raise money for a code audit.

Re:Please don't

Or even an inch/2.2cm.

Hopefully it's really an inch/2.54cm, or it'll be just a bad as OpenSSL if they can't do basic metric conversions.

Re:Please don't

[geminidomino]

What? Forking is a huge part of the OSS concept. "If you don't like the way the devs are going, STFU and change it yourself."

In *practice* it may not work that way very often (the biggest offenders in recent memory are massive projects that it's infeasible for a single or handful of developers to maintain. i.e. browsers, DEs, etc..), but you've got a pretty warped idea of OSS if you think it's "alien" to the concept.

Re:Please don't

SSL is a standard. They're not forking SSL, they're forking OpenSSL. There are already many (more than 10, at least) SSL implementations. Having an OpenSSL API compatible alternative can only be a good thing. Worst case, nobody uses it.

Re:Please don't

[Sique]

I am not sure if this is an attempt at being ironic.

Re:Please don't

This will make NSA's work a bit harder, so it is entirely unpatriotic ! Don't cha know that ???

They now need to work on two exploit suites instead of one !!!!!

Re:Please don't

This.

Re:Please don't

[serviscope_minor]

Rather, they apparently don't (hence the donations plea).

Seems unlikely they do. OpenBSD is a full time project. Also, wouldn't it be rather unethical to spend money donated to OpenBSD to work on non OpenBSD things. Besides whay makes you think these people even have Linux/Mac/Windows/iOS/wtfOS machines on which to do the porting?

What they do have time for is forking OpenSSL, cutting out the stuff they don't care about,

and then fixing up and auditing the code and providing a free, incredibly secure and open source operating system to everyone in the world, portable to something liek 20 pltforms. What bad people.

and slapping each other on the back for giving OpenSSL a good poke in the eye.

Basically you're a combination of paranoid and entitled. I think someone else described peolpe like you as shitheads. I'm inclined to agree. Tell you what: if you come over to my house and dig my garden for free, to my *exact* specification and travelling at your own expense (no, I won't provide you with lunch or even cups of tea and certainly not accomodation when it inevitably takes you more than a day), then I'll accept your argument that the OpenBSD people should be giving you even more free stuff than they already are.

Re:Please don't

As far as I understand the OpenSSL guys and the OpenBSD guys are part of the same project.

Re:Please don't

[DaMattster]

OpenSSL needs a revamp. If the project won't do it, fork it!

Re:Please don't

One of the main point of OSS is that when for whatever reason you can't or don't want to work with the provider, you can do it.

Re:Please don't

[tiagosousa]

But then they couldn't use donations from LibreSSL to sponsor OpenBSD, which for them is the same project, even if 99% of the donors don't care about it, not to mention their basement DC.

Re:Please don't

Forking is exactly what needs to be done. The code is old and full of redundant cruft for OSes that aren't used.

The API isn't changing, and there's a lot of focus on the new project. The final result is going to be thoroughly checked and have clean code. Other OSes can then take this as a base and start fscking it all up again.

Re:Please don't

[duke_cheetah2003]

Exactly. Does it matter if the project changes names? Why don't the people interested in 'fixing' OpenSSL just leave it named OpenSSL? Why change? Seems to me that forking OpenSSL to something new is giving the finger to those who developed SSL in the past, and saying 'we're not going to work with you.' It just seems very wasteful. Collaborate and fix it together, rather than splinter. Ever heard of divide and conquer? Why would open source community divide and conquer itself? Seems counter-productive.

Re:Please don't

Well actually, just to be completely precise, the standard is called TLS.

Sure, TLS 1.0 is pretty much just derived from SSL 3.0, but it's still not the same.

Open to ripping out compatibility?

Granted, the OBSD team has a known personality.

That said, diffs to remove compatibility would likely be rejected. Also, the rate at which they're being submitted wouldn't be verifiable by the OpenSSL team.

Plus, it's better to have multiple libraries.

This is for the better.

Re:Open to ripping out compatibility?

[cant_get_a_good_nick]

Plus, it's better to have multiple libraries.

This is not a universal good. There is a cost to:

* Choice. Now I need to figure out which is better. This is why Amazon has reviews - choice makes things difficult.

* Diffusion of resources. Part of the reason OpenSSL was so bad was that this team had no money and no resources.

There are a lot of projects out there, forks for spite, forks for license religion, that are a waste of time and resources. "Oh ____ has a free software license, but it has slightly different focuses of types of freedom, therefore it's heresy. Hey, here's GNU____. We know you'll ignore the bugs/missing features, because FREEDOM"

Re:Graphic design geniuses too

If You want a confidence audit the code.

Re:Graphic design geniuses too

[Missing.Matter]

Typefaces by their nature are designed to convey a specific emotions. It's the whole reason we don't simply convey written information in one fixed typeface; some are more appropriate than others given the situation.

Comic Sans in particular is designed to imitate comic book lettering. It's not particularly professional. In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals. Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Re:Graphic design geniuses too

[serviscope_minor]

Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.

Get it FIPS certified

[sinij]

The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

Re:Get it FIPS certified

[brunes69]

People are starting to think tha "FIPS Certified" means "has all required NSA backdoors installed".

Re:Get it FIPS certified

[sinij]

You might be proven right by the next Snowden report, but this still will not change the fact that to sell to the government you need to demonstrate your crypto is certified.

Another way of thinking about this - your liability is much higher when your badly broken crypto results in your customer database in the pastebin, than when your backdoored library results in your customer database somewhere in the NSA data vault.

Re:Get it FIPS certified

[BitZtream]

Wrong.

A specific version of the OpenSSL binaries a LONG time ago received a low level of FIPS 140 certification. That certification was for specific binaries built from a specific code base. The instant a single line of source was changed, the entire FIPS certification is null and void for the new version. Depending not he exact way it was certified it is entirely possible that even compiling the same source code from the version that was certified ... does not itself receive the certification.

NO ONE uses the FIPS certified module as it is broken in many known ways. Anyone who does use it are retarded since its well known to be susceptible to several attacks that make it horribly broken even though it received a low level FIPS certification.

Re:Get it FIPS certified

[BitZtream]

Having gone through the certification process myself, people that think that are stupid, paranoid idiots. The certification process is entirely based on finding and fixing known flaws in the encryption process, nothing I saw would indicate any kind of weakening.

Of course, its entirely possible that the NSA was aware that my code was insecure and just didn't request any changes to make it weaker, but the certification process certainly didn't make that apparent.

Re:Get it FIPS certified

[Error27]

If you read the article then you'll see that the OpenBSD explicitly rejects FIPS certification as a goal.

FIPS certification is why OpenSSL includes the NSA backdoor DUAL EC pseudo random number generator. The code doesn't work but it's still included and can't be fixed. Anything which leads to an outcome like this... Disgust. Disgust and revulsion.

Re:Get it FIPS certified

[Kardos]

If OpenBSD is successful in their goal of making a lean and mean LibreSSL, is there anything that stops someone else from getting it FIPS certified?

Clearly it would have to be re-done with each release, so presumably nobody would bother until LibreSSL is stable.

Re:Get it FIPS certified

[Lennie]

Do you know what FIPS certification does ?

They check the algoritms (read: math), not the implementation.

So nothing has really changed from that standpoint.

Will LibreSSL be FIPS certified ? Probably not.

Re:Get it FIPS certified

Very few, except for most.

If the government needs their computers to remain insecure, they still have OpenSSL. This is for everyone else, where the insecurity certification is perceived as having no (or even negative) value.

Re:Get it FIPS certified

[Bob9113]

The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

Sounds like a good idea. Perhaps the system integrators who want to have a FIPS certified version of SSL that is also secure should do the legwork on getting the certification done, while Theo and his team work on the code. Decentralized do-ocracy FTW.

Re:Get it FIPS certified

[greg1104]

That's why I avoid all this open-source hippie code and only use genuine RSA BSAFE.

Re:Get it FIPS certified

[greg1104]

That's not quite right either. The open-source releases of OpenSSL certainly do not ship with any implied FIPS certification. OpenSSL does offer FIPS validation for a specific build as part of their commercial support program. They say "Support for the FIPS Object Module, including assistance with building a validated module for a specific platform (if possible) is available with the Premium plan". It is not correct that these versions are exactly the same code as the ones first certified long ago.

There was an interesting post to the openssl annoucement mailing list about Flaws in Dual EC DRBG that sheds some more light on this area. It says: "The OpenSSL FIPS module is commonly used as the basis for rebranded proprietary validations (we call these 'private label' validations)", "FIPS 140-2 validations are expensive and difficult, taking on average a year to complete and we have to wait years between validations", and "Even if we wanted to fix it our options are severely constrained by the fact that the CMVP process forbids modifications of any kind (even to address severe vulnerabilities) without the substantial time and expense of formal retesting and review."

All this implies there absolutely are later versions of OpenSSL with FIPS certification out there. You just can't get one without significant input from the commercial end of the OpenSSL Foundation.

Re:Get it FIPS certified

Generally, these "agency certifications" are entirely pointless. They only prove you have followed the letters of some irrelevant process.

Real challenges have been in horrible source code bugs like

char* s; ...fill s from some external source, often from communications partner

printf(s);

And sure as hell not a single fatboy from agency will look at the code. They will look for the documentation bullshit and tick off boxes. Then you get a certification.

Having seen exactly the above from my countries fatboy agency, the BSI.

Re:Get it FIPS certified

[sconeu]

Have you ever participated in a FIPS certification?

They certainly do check the implementation.

Re:Get it FIPS certified

[chill]

The core encryption functions of an older version (0.9.8, I think) was spun off into a separate module and certified for FIPS. The certification process is that the code is provably correct and the implementation is flawless, which is why it takes so damn long. It is also why only the core crypto transforms are certified.

You CAN, and vendors DO update the wrapper module around the core functions and update things without having to go back under certification.

Case in point. The Red Hat version of FIPS-OpenSSL was susceptible to HeartBleed, even though the core FIPS module was based off of an older version that was produced before the code error was introduced! Why? Because the error wasn't in the core crypto but rather the wrapper, non-crypto code. The actual cryptographic transforms (AES, HMAC-SHA, etc.) functioned perfectly, but information was leaked by the non-crypto code.

LOTS of people -- like almost everyone in the U.S. Gov't or contractors that work on their systems -- use the FIPS certified module for OpenSSL. Or, at least, Red Hat's version of it.

Re:Get it FIPS certified

[BitZtream]

Cost. Thats about it. Certification for a very select bit of encryption, hashing and password generation code in my previous job was roughly $50k for the first round ... of which no one has ever succeeded at getting certified on first pass. You pretty much can't pay less than that, and every little bit of complexity you add drives the price up quickly.

Then, the certification is for THAT SPECIFIC code. Any changes to that module and its no longer certified. And by any changes I mean so much as adding a period to some text strings that are never used is enough to do it. ANY change. So you narrow down the module to be certified to the smallest amount of code possible.

Re:Get it FIPS certified

If the FIPS was process was so rigorous, then why was the FIPS mode of OpenSSL a fscking mess and completely broken? Anybody _actually_ using it in production would have run into a ton of bugs. Yet, interestingly, nobody did use it, even those selling to the government.

FIPS mode is about algorithms, not implementation. And we know for a fact that some of the FIPS algorithms are insecure and, with a high degree of certainty, made intentionally so by the NSA.

Re:Get it FIPS certified

Not well, because lots of FIPS-certified software is crap. Including OpenSSL's code, which has been FIPS certified on many occasions. There are known bugs in the FIPS modules which have made it through certification over and over.

The FIPS process is a sad joke at this point. Good for you for going through the rigamarole and banking money from government contracts. But it's idiotic to defend the clearly broken process. At this point it's a useless hurdle.

Re:Get it FIPS certified

[gatkinso]

Actually, it is more about build tools, configuration control, and dependency management than anything mentioned above.

Re:Get it FIPS certified

[DaMattster]

The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

I would rather it NOT be FIPS certified. I trust my government as much as I trust an 800 lb gorilla.

Re:Get it FIPS certified

[mpe]

Generally, these "agency certifications" are entirely pointless. They only prove you have followed the letters of some irrelevant process.

Whilst they can be technically useless they can be politcially vital.

Re:Get it FIPS certified

[hobarrera]

I highly doubt that the OpenBSD/LibreSSL people will invest in that. They care about doing secure software, not "lots of people using it", so, unless someone else pays the certification, it won't happen.
I'm amazed at how OpenSSL had so many issues, know inside the security community, but you still get FIPS certificaion if you use it. Clearly it's no more than a fancy stamp.

Re:Graphic design geniuses too

[jeffmeden]

In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals

Except you're right, it was caused by half-assing what was supposed to be a good feature, because the programmers decided they would just stop and come back to it later. But now we have *different* amateur volunteers working on it! Problem solved!

Re:Graphic design geniuses too

[jeffmeden]

Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.

They're pleading for donations. Are you comfortable being the sole donor, too?

Re:Graphic design geniuses too

wow, thought you were kidding.

They should have start a naming contest ...

[Taco+Cowboy]

LibreSSL.... Please for the love of code, change the name!

I wish they would start a naming contest soon.

There ought to be _someone_ out there who can come up with some much better name than "LibreSSL" ...

Re:They should have start a naming contest ...

FreeSSL? [/sarcasm]

Re:They should have start a naming contest ...

[Mitchell314]

gnuSSL? Although TLS should be supported, so maybe gnuTLS?

Re:They should have start a naming contest ...

gnuSSL? Although TLS should be supported, so maybe gnuTLS?

Been there, done that

Re:They should have start a naming contest ...

[0100010001010011]

I doubt anything the OpenBSD group develops is going to be under the GNU licenses.

Re:They should have start a naming contest ...

[aix+tom]

How about VivaLaRevoluciónSSL. ;-P

Re:They should have start a naming contest ...

gunssl? for all the gun-loving freaks

Re:They should have start a naming contest ...

[Mitchell314]

Please don't make me explain the joke.

Re:They should have start a naming contest ...

As one of those gun-loving freaks, that does sound laughably like an ESR pet project.

Re:Graphic design geniuses too

[jeffmeden]

I'd say it's puerile -- and a bit alarming, considering these people are building something so important to the continued health of the internet.

But it goes right along with the notion that they are not even considering helping the original OpenSSL project (one that they have benefited greatly from in the past) and instead simply forked it in order to do only work that benefits themselves. The "we will get around to multiplatform when the donations pour in" is about as pathetic as the "we will get around to fixing that vulnerability countermeasure code later" that caused Heartbleed in the first place. If Heartbleed didn't scare people away from Free/Open Source software, then this surely will. Mission accomplished, Theo!

Re: hostage? no. try liberation

Ahem. You say "holding OpenSSL hostage," when in fact the two developers of OpenSSL are completely incomptent and deserve to have the project forcefully taken out of their hands.

Re:Can they do OpenSSH too?

OpenSSH is written in C, but I guess that's too complex for you. It is considered, by many held in high regards, to be "beautiful" code.

What will be next: LibreSystemd?

Now *there's* one that needs a cut-the-fat do-over.

Notice that Theo doesn't have the goal of making LibreSSL BSD-only.

Re:Graphic design geniuses too

They were kind enough to prepare their snark for you in advance.

At the moment we are too busy deleting and rewriting code to make a decent web page. No we don't want help making web pages, thank you.

Re:Graphic design geniuses too

Good marketing is what separates open-source software from the closed-source, shrink wrap sector.

Re:Graphic design geniuses too

[the_cosmocat]

Footer : "This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"

Re:Graphic design geniuses too

[Dog-Cow]

And your post goes right along with the notion that Slashdot is filled with shitheads.

OpenSSL funding

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help.

Well perhaps the OpenSSL folks need to examine how they're organized then.

There are reports that the OpenSSL Foundation got $2 000 for all of 2013. Meanwhile the FreeBSD Foundation got $750 000 in 2013, and are aiming for $1 million in 2014. The OpenBSD Foundation's goal for 2014 was $150K, which they reached.

I'm sure given OpenSSL's importance that they could match (and probably exceed) these other two projects, and get a proper staff.

Libre is the new Open

How about going retro with iSSL or eSSL? Or maybe xSSL - X's are always cool.

Re:Libre is the new Open

SSSL - Secure SSL

Re:Libre is the new Open

[pr0fessor]

SSSL - Secure Secure Socket Layer is that like when people say LAN Network - Local Area Network Network

Re:Libre is the new Open

[adiposity]

I had the same idea. But I was actually serious.

I think they could called it "ClosedSSL."

"You are still using OPEN ssl? Are you crazy? Used this CLOSED ssl to keep hackers out."

Re:Libre is the new Open

pssssst... that's the joke!

Re:Libre is the new Open

How about reSSL, that way the first release version will be the filename will be libressl.1.0.0.so.

Re:Libre is the new Open

Um, or ASSSL - Actually Secure SSL...

Re:Graphic design geniuses too

You honestly think there will only be one donor to the OpenBSD project? The fuck

Re:Graphic design geniuses too

Congratulations, you are officially a web hipster.

Re: hostage? no. try liberation

Yes, they goofed. However, is anyone else volunteering their time for a project that at best is an entry on a resume? The OpenSSL coders are paying a dear opportunity cost for doing their work. they could easily be making far more per month by making another F2P/P2W app for iOS.

IMHO, if one thinks they can do better, then go for it. It is easy to be an armchair coder and tsk-tsk about other people's mistakes. It is a lot harder to be actually producing and debugging hundreds of thousands of lines of code... earning zero for the task.

LibreSystemd?

[Arker]

After stripping out all of the unnecessary bloat, you would be left with BSDinit. There really is no need to go through all that trouble since BSDinit is already available. Stable, robust, sane, and works great on Unix or Linux.

Re:Can they do OpenSSH too?

[gweihir]

The OpenSSH security track record is excellent, almost perfect.

Yup. Well, the "Statue of liberty" is French

[HaggiStan]

Quote from the Wiki article (*):

The Statue of Liberty (Liberty Enlightening the World; French: La Liberte eclairant le monde) is a colossal neoclassical sculpture on Liberty Island in the middle of New York Harbor, in Manhattan, New York City. The statue, designed by Frédéric Auguste Bartholdi and dedicated on October 28, 1886, was a gift to the United States from the people of France

(*): accents removed since slashdot seems unable to handle them

Re:Graphic design geniuses too

[gweihir]

You seem to have missed the line at the bottom...

The link to OpenSSL is funny too ;-)

s/open/libre/ ?

[fatp]

OpenOffice -> LibreOffice
OpenSSL -> LibreSSL

Will the next be
OpenSSH -> LibreSSH
OpenBSD -> LibreBSD
OpenStack -> LibreStack
... ?

Re:Graphic design geniuses too

Typefaces by their nature are designed to convey a specific emotions. It's the whole reason we don't simply convey written information in one fixed typeface; some are more appropriate than others given the situation.

Comic Sans in particular is designed to imitate comic book lettering. It's not particularly professional. In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals. Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

All Comic Sans conveys is "the writer of this is a jackass".

Re:Graphic design geniuses too

[geminidomino]

Fait accompli, apparently. :D

Well played, Theo et al.

The same way we need to keep init standard?

[koinu]

A while ago... the common init startup procedures have been ignored by the Linux community and they developed their own Unix-incompatible way to start the system and even pollute many common applications with it so incompatibilties will be everywhere soon. And it keeps going on with KDBUS and so on..

Now when OpenBSD touches a central library it is ultimately bad for everyone, even when they don't destroy compatibility as much as it seems. Who uses VMS or pre-Windows-2000 systems today? Most of those people don't care about a new version of SSL anyway.

Re:The same way we need to keep init standard?

First, you are an idiot.

Secondly, SSL/TLS is not tied to OpenSSL.Rather, there exist quite a few implementations of a prose standard.

Thirdly, OpenSSL code was/is a hopeless pile of shit. This is not the first horrible issue. The faster we can get a clean alternative, the better it is.

Finally, Mr DeRaadt does the right thing and cleans out this Augias Stable. The fact that we have tons of morons who cannot think rationally in the IT world means little. Maybe lots of people shut simply shut up while Master Software Engineers like Mr DeRaadt take care of the important stuff.

Re:The same way we need to keep init standard?

[idontgno]

Theo, is that you?

The Imperial Third Person thing is certainly new and...interesting.

Anyways, thanks. I guess.

Ladies and Gentlemen, that was Theo De Raadt. Thanks for dropping by, Theo.

Re:What will be next: LibreSystemd?

[gweihir]

That one is easy: Just throw it away completely. Systemd is a major redesign of a major, critical Linux component.You would think that there is a very good, solid, compelling reason to do so. Apparently all they really have is "it boots faster". (And apparently id does not even do that in quite a few circumstances...)

My personal theory is that the NSA planned systemd as a project to sabotage Linux security (remember that Red Hat is primarily funded by the US military): Put an incompetent team with big egos in charge (Poettering and Sivers are certainly that), give them delusions of grandeur, make sure the BSD people ignore it by explicitly denying portability, and then just wait while the cretins produce a bloated, easy-to-exploit mess. (This "init-system" includes a freaking web-server! How stupid can you get?)

No need to place any backdoors, and all the countless vulnerabilities are genuine mistakes! Genius!

becase socialism is communism is real bad.

[Thud457]

I'm not gunna use no "liberal SSL", might as well just call it "socialist SSL" and get it over with.

They should call it "FREEDUMB:SSL" and make everybody happy.

Or at least "rePun SSL". Sorry, it's hard finding a use for that -ZL sound.

egoSSL

Why not call it egoSSL in honor of Theo DieRat!

Re:Graphic design geniuses too

[benjfowler]

They just come over as a bunch of complete, smug, self-absorbed wankers.

*golf clap*

Re:Can they do OpenSSH too?

Are you out of your mind?
OpenSSH is the only reason a machine of mine was rooted!

Re:Can they do OpenSSH too?

The OpenSSH security track record is excellent, almost perfect.

And yet OpenSSH also has its share of vulnerabilities:

http://www.cvedetails.com/vulnerability-list/vendor_id-7161/product_id-12081/Openssh-Openssh.html

Sure, none of those happened to be a total compromise, but that's basically luck. Consider:

"The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks. "

Bugs happen in all software. :)

As a orthogonal point, weirdly the OpenSSL CVE score is only 5.0...

http://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html

Re:Graphic design geniuses too

They fix their own platform. You fix your platform.
OpenSSL can merge back whatever changes they want.
It's not like they can steal openssl login credentials and just fix all the code and make a new release for them.

Re:Can they do OpenSSH too?

[gweihir]

Did you screw up the config? That will get you rooted...

Otherwise, please supply a CVE number for the vulnerability responsible.

GnuTSSLapp

Maybe gnuTSSlapp - Gnu TLS/SSL libre all privacy project . That sounds like it would fit the bill.

Re:Can they do OpenSSH too?

[gweihir]

You did notice that "legacy" in the thing you quote? You can run OpenSSH with insecure settings or with protocol version 1.0. But if you use these you are supposed to look at the security trade-offs yourself. The thing is that it is not OpenSSH that is insecure here, it just allows you to shoot yourself in the foot after warning you.

Re:Graphic design geniuses too

[lemur3]

they are not even considering helping the original OpenSSL project (one that they have benefited greatly from in the past) and instead simply forked it in order to do only work that benefits themselves.

so youre suggesting that the maintainers of OpenSSL would have gladly allowed some new kids on the block come in and remove over 200,000 lines of stuff ? and that the new kids on the block are being lame for not trying to do so?

I think this move kind of strikes to the heart of the benefits of opensource projects. When someone decides they want to go in a different direction, they can. This direction is clearly (judging by the nearly 100,000 lines of code removed) different than the one the OpenSSL team is on..

The openbsd team supports over 20 platforms already. Deciding on on not supporting libressl on those 20 platforms before theyre even finished with the main bulk of the work seems pretty reasonable to me... and of course, it will be opensource.. you can go support other platforms if you want!

if you've got an axe to grind against Theo, and the openbsd team thats fine..... but at least you can be reasonable about this.. there is no evidence that the openbsd team has the same mentality as those in the openssl team had when it comes to making secure and correct code..

using funding to decide how/when theyll support other platforms doesnt relate in any way to the attitudes that caused the heartbleed bug... in fact, it might show that they wouldnt want to put a half-effort into something which they cannot use all of their resources on... which is a good thing.

Re:Can they do OpenSSH too?

The reason your machine was rooted is because it allowed root logins from the internet, and the root password was "password". OpenSSL was just the means.

Re:Graphic design geniuses too

Certainly not your paymasters in Redmond. They will only pay for shitlobbers like you.

Re:s/open/libre/ ?

Good job, you figured out why they chose that name. However, it's unrealistic that anyone would want to fork OpenSSH or OpenBSD.

Re:What will be next: LibreSystemd?

The entire IT community is deep in love with "new, new, new". So we can new kernels with new features, new file systems, new browser features, new codecs. Did I tell you that you can now read your dog's neckband with Linux version 3.5.1.77-NEW ??

But only a few or no people make the effort to prove correctness of the kernel and the compilers and a basic web browser. That new-disease makes it incredibly easy for the Powers to find exploits. And that is exactly how they want it to be.

If we ever want "secure IT", we first need proven correct foundations like compilers, kernels, IP stacks. Will that ever happen ? I am sceptical.

License

[simon1tan]

They license the code so people can use it free of charge. Now they complain that people are using it free and not contributing back to the opensource community. Boohoo.

Re:Graphic design geniuses too

[thoth]

I don't think they care about how their font is interpreted.

I think this is more like - we're busy actually fixing code and not going to hire a team of web designers to produce a web 2.0 dynamic social-media-hooked-into website with a few links and a bit of text.

Aha!

[neiras]

This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.

WEB HIPSTER DETECTED! ;)

Re:Aha!

[QilessQi]

Guilty as charged. :-)

Re:Graphic design geniuses too

[serviscope_minor]

And your post goes right along with the notion that Slashdot is filled with shitheads.

Yeah basically this. The sense of entitlement from people is quite astonishing. It's not good enough that they provide a free, amazingly secure OS, a free suite of SSH tools used by the entire world and are provideing a complete, open, audited implementation of SSL apparently.

No, they should do more, for free on their own time.

Mod parent Troll

[neiras]

How the fuck does this kind of trolling/tin-foil-hattery get to +5? The only "Interesting" thing about it is the apparent level of paranoia being experienced by gweihir. I mean, Red Hat as an NSA tool to Destroy Linux? Sure!

I get it, some folks hate systemd and everything Lennart does (and I'm not picking sides anymore), but the parent is just a smear job.

Re:Mod parent Troll

Does that matter if he is right?

Gives me more reason to switch to *BSD even if he isn't!

Re:Mod parent Troll

Slashdot is full of crazy fucker.

Re:Mod parent Troll

[gweihir]

Have you even tried to find out what is going on? The evidence is getting quite compelling. But I guess some people cannot see what they do not want to see.

Re:Mod parent Troll

[neiras]

The evidence is getting quite compelling. But I guess some people cannot see what they do not want to see.

Look, if you think you have something and you want to be the messenger, by all means register a catchy domain name like Heartbleed (HatMunch?) and present your evidence of conspiracy in a straightforward, peer-reviewable way. I recommend staying away from Comic Sans when choosing a typeface.

It's a wild theory, but if you can present anything other than character assasination, cherry-picked facts and NSA O NOE, you might get listened to by people who matter. Until you do that, you're gonna get modded down, and rightfully so. It's put up or shut up time.

But I guess some people would rather vomit paranoia than actually put in the effort it takes to be heard.

Re:Mod parent Troll

[gweihir]

Well, to spin this further, you do know who downmodded me, and why I was at +5 before, right? Clearly this is done by the forces of evil. That would be the same people that pay you to be a troll here. And no, you do not get to define the rules. Oldest trick in the book to sabotage an opponent in a "discussion".

Re:Can they do OpenSSH too?

That codes looks "kind of nice". Still, using C++ could have made it more concise and therefore reduced the error potential. Mind you, using C++ does not guarantee that. Excellent engineers+experience+time+domain knowlegde plus C++ could possibly provide that.

Another way of tackling the "code complexity" (==lots of exploitable bugs, statistically speaking) would be to question the need for complex (== Asymmetric+symmetric, lots of options) protocols. The KISS principle certainly applies strongly to any security endeavour.

Lets make some easy money!

[danknight48]

But lets just read this again:

the project has already removed 90,000 lines of C code and 150,000 lines of content.
The project further promises multi-OS support once they have proper funding and the right portability team in place

Remove current code for Windows and VMS support = check.
Wait for funding to code in Windows and VMS support back in = check

Pull the other one guys, honestly.
Anyone can remove code from someone elses project and make it more "optimized". The whole point is to either replace that with newer code, not ask for money to put it back in.
Your basically stealing the work of OpenSSL and using the current heartbleed as a goat to get funding for your project.

Re:Lets make some easy money!

[Desler]

They are not going to put back in the original code. They will build a proper portability layer. Just like what was done for OpenSSH.

Re:Lets make some easy money!

[danknight48]

They are not going to put back in the original code. They will build a proper portability layer. Just like what was done for OpenSSH.

For which they want funding, before they will begin that work.

Let me put it to you as simple as possible, from their point of view:
"we waited for the heartbleed issue to be public. Then used it for our advantage"
"we removed 90k lines of code and removed support for multiple os's"
"we now require funding, before we carry on work"

I smell money grabbing bullshit to be honest.
Remove 90k lines of someone else's code and demand money? Finish the job, or dont bother starting it.

Re:Lets make some easy money!

You smell shit because you got lost on your way to getting a clue, and ended up in a cowhouse on a farm far away from civilization. You don't know the people behind this project, their track record, or other projects they have made available to the world.

If someone funds OpenBSD, that's positive. Because they need money to pay the fucking bills. They also need money to run developer events where they get shit done. Shit like auditing and cleaning up messy code bases everyone wants to run but doesn't want to pay a dime for.

In any case, the team is going to do what they can to make this library useful for them. They are already using it. They are improving it. They have found and fixed bugs. The work is being carried on. And the code is exactly as free (if not free-er) as OpenSSL, so if you don't like to wait for them to port it for you, you can just grab it, patch it up and run it on your shit. It should be pretty easy in fact; most of the portability crap they removed is unneeded unless you run 20 year old OSen. And now that the code is somewhat readable, it's even easier to patch.

If you don't like it, keep using OpenSSL with its bugs that have been sitting for years unrepaired.

Finally, this bit about "using it for our advantage". It's just bullshit. You can read the backstory if you get out of the stinking cowhouse, get a shower, and head to the clue land. Long story short, they were dissatisfied with the code quality and upstream that doesn't give a shit. They don't want to run an insecure crypto lib. So they gave a shit, forked the code, and are doing what they can to fix it, instead of complaining and doing nothing like the rest of the world's population after they heard about Heartbleed.

Re:Lets make some easy money!

[rubycodez]

wrong, they are working already. They've been working for years. They have been getting funding for years. They have proven projects that benefit everyone. They are merely asking for more donations: http://www.openbsdfoundation.o...

what is wrong with that, they have long track record of success.

Re:Graphic design geniuses too

Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option.

Says the troll who actually likes X.org. Yeah, we get that you don't care. Just like you don't care that Stallman digested his own toejam. People like you aren't normal, nor the cream of the crop, so it's not surprising you place little value on appearance and design. It's a sad, dreary world you live in.

Re:Graphic design geniuses too

[Pseudonym+Authority]

Are you retarded? For the trillionth time, OpenBSD had nothing to do with OpenSSL until they forked it? Learn how to fucking read.

Re:Graphic design geniuses too

[Pseudonym+Authority]

Luckily though, they have a history of completing quality software to back up such an attitude. That's way better then the countless shitty projects with websites that push the very limits of jQuery and have beautiful CSS, but are only half-functional at best and riddled with security holes and have an obnoxious focus on spreading the word via facebook and a dozen other social sites.

Re:Can they do OpenSSH too?

For example, why can't we simply use a basic, symmetric protocol to access other computers of our organization. Have a 32 Character hex string as the key; written down in 3-octet groups. Set this key up once for your user by physically walking to the other box.
If you need to share a key with a remote site, have an admin once a year do a physical courier transport to the other sites for a secret OTP book which will be used to establish keys based on new requirements for the next year.

Too much work ? Not sexy/hipster enough ? Too secure for The Powers ?

Re:Graphic design geniuses too

[Missing.Matter]

Actually, they went out of their way to make the website look so bad and added a snarky, unprofessional comment about "web hipsters" to play that fact up. If they had spent less time on the site it would have actually looked better. This is completely disregarding the fact that making a decent looking site takes maybe half an hour. The website they created completely *distracts* from the project.

Instead we have yet another open source project run by myopic developers. You know, people who want to develop, and only want to develop. Ancillary things like project maintenance, management, and fund raising are those not fun, boring things that developers don't want to do.... and which got OpenSSL into trouble in the first place.

Functionality

[morgauxo]

I wonder what, if any functionality they are removing.

Am I the only one?

To me, this just seems like they're trying to jump in quickly to take advantage of the OpenSSL FUD train to create a new "standard" that everyone will quickly switch to in a knee-jerk reaction, without really thinking the matter through, only to come out later and demand money from O/S vendors to re-integrate support for their O/S that was previously "deoptimized" from the OpenSSL code they're starting with...

Am I wrong?

Re:Am I the only one?

[Desler]

Yes. See: OpenSSH.

Re: hostage? no. try liberation

The OpenSSL coders are paying a dear opportunity cost for doing their work.

Bullshit. They're obviously not doing this full time, or they would have caught and fixed the Heartbleed bug long ago. And if they ARE doing this full time, then they're compeltely incompetent at their job. ("You had one job!")

IMHO, if one thinks they can do better, then go for it.

That's exactly what they're doing. This is a hostile takeover of the project. :)

p.s. Now you can go get a real job and/or go make Fwp/P2W apps for iOS instead of pretending to maintain OpenSSL. :-D

I can't say that I understand systemd...

[emil]

...but it seems to be a key player in Project Atomic.

This seems to be Red Hat's analog of Solaris "Zones" which let you give root to someone you don't trust in an isolated sandbox on your system. It appears to go further than zones in that you can exchange these sandbox images, with all of their installed software, with other systems. This lets you virtualize without running multiple kernels, yeilding a tremendous savings of memory. The additional assertion is that 3rd party software sales will be of these complete sandbox images, not an RPM/tarfile.

I will have a bit of studying to do for Red Hat 7. These are compelling new features, seemingly well worth the initial bugs.

p.s. just don't pass debug to grub.

Re:Graphic design geniuses too

[QilessQi]

Yep, I couldn't have put it better. I don't think they understand how that landing page (and the comment you mention) will actually reduce the likelihood that visitors will trust their professionalism or donate to their efforts.

Re:Can they do OpenSSH too?

The last across-the-board vulnerability in OpenSSH that I remember was before CVEs existed. It was circa 2000 or 2001. I remember because at the time I forgot my root password and used the exploit to break into my OpenBSD box.

Not long after that there was the zlib exploit, but by that point OpenSSH had privilege separation and it couldn't be used to root the machine, assuming privilege separation was enabled--many Linux distributions disabled it at the time, though.

However, the OpenSSH code is certainly not beautiful (as somebody else mentioned). I've extensively hacked on it. The code is actually quite old in many places, and all the feature enhancements by different people over the years have made it quite difficult to work with. It evolved with (and in many cases lead the development of) the SSH protocol, which means it had little benefit of hindsight to suggest how to structure the code. However, it's very well maintained, despite the ugly code, and that's what matters. OpenSSL, by contrast, is both ugly code and poorly maintained.

If you want pretty SSH code, I would checkout libssh2. Not sure about the quality, but it's definitely better structured.

Re:Graphic design geniuses too

The website they created completely *distracts* from the project.

No it doesn't. Now scamper along little web hipster.

Re:Graphic design geniuses too

So then no worse than you come off. Especially since they are busy doing important things not whining about fonts.

Re:Graphic design geniuses too

[St.Creed]

It's not like they can steal openssl login credentials and just fix all the code and make a new release for them.

Unless OpenSSL is still using their original code :)

Re:Can they do OpenSSH too?

[gweihir]

Just my point. The OpenSSH project has done its learning and reached a quite high level of quality 10 years or more ago. Ans as it does what it is supposed to, there is no need to add features, making it even more secure.
 

Re:Graphic design geniuses too

My god, get a sense of humor and stop taking every moment of life so seriously.

Re:s/open/libre/ ?

[Desler]

There is an OpenBSD fork. It's called Bitrig.

Re:Fuck Libre, Yeah

WING ATTACK PLAN R

PolarSSL already won this race

[gatkinso]

No reason to reinvent that.

Re:PolarSSL already won this race

[DaMattster]

PolarSSL is basically non-free. It is copyleft but not truly free. The developers at OpenBSD will basically make LibreSSL the new standard and you'll want to adopt it because they have a helluva track record at writing quality, low-bug code.

Does OpenBSD Actually Work Now?

[prezkennedy.org]

The last time I tried it, it didn't even recognize my USB keyboard or mouse so it was completely and entirely useless. Seems like they should focus their attention on making an OS that works on computers built within the past decade instead of forking other projects' code.

Maybe that's how it's so secure?

Re:Does OpenBSD Actually Work Now?

[DaMattster]

I've not had a problem getting OpenBSD to work. Even if your mileage varies, you have dmesg and other troubleshooting tools at your disposal. Part of the fun of UNIX-like operating systems is getting them to work when they don't. You learn a lot about troubleshooting and gain a solid understanding of computers.

Re:Does OpenBSD Actually Work Now?

It's maybe fun if you're a 15 year old living in your mom's basement. Grown adults expect such things to just work, so that they can focus on matters that are actually relevant to them.

let us hope...

Let us hope that people now realize that attention needs to be given to critical components such as SSL. I also hope that in a year or ten, Theo de Raadt isn't in the same position as Robin Seggelmann - where some flaw slips in and kaboom. I try to contribute a few $ as a private user to open source projects. The big onus lies on companies who use open source to save millions in MS-costs, etc to contribute liberally to these projects. Thankfully a few great companies even allow people to work on these open source projects during their normal work time (on the clock).

whoosh

it's like the sound of something going over your head - but you don't actually hear it.

(Other examples: ATM machine, PIN number, hot water heater)

Re:

WideOpenSSL!

Grok LibreSSL

[ConstantineM]

If anyone's looking to grok it and potentially get involved, there's a fast OpenGrok available:

http://bxr.su/o/lib/libssl/src...

So is the solution in Open Source issue

[nhat11]

Is to create another OS alternative to replace the broken one? lol

Re:Graphic design geniuses too

[hobarrera]

I didn't understand what you were talking about until I checked the CSS's source.
They forgot to embed Comic Sans, so unless you installed it manually, you'll just see plain Sans. :)

Re:Graphic design geniuses too

[AC-x]

They missed a trick tho, they could have had a few of these under the Other OS's title :)

Re:Graphic design geniuses too

Typefaces by their nature are designed to convey a specific emotions. It's the whole reason we don't simply convey written information in one fixed typeface; some are more appropriate than others given the situation.

It's not the whole reason: readability counts as well. Serifs work better at smaller font sizes in high resolution, helping us find contrasts and edges, while Helvetica style hard letters work well either at large sizes/high contrast where our eyes manage edge-finding by themselves, or at low resolutions where the serifs could not be of effect anyway. In between there is a large spectrum of what works best where: short messages? Long blocks of text? Printing technology used? Etc.

The part you mention is of course also a large part of most typefaces' mean of existence, but not the "whole reason". Comic Sans should in general be berated for its low readability as well; in this case it was apparent provocation though, so that somewhat makes it more OK :-) .

Re:Graphic design geniuses too

The fact that we're even talking about it proves the point. If they had used a respectable font, there would be no thread here talking about the terrible font choice and we'd instead be talking about the project.

PolarSSL

What about PolarSSL, a professional alternative ?

Licensing

OpenSSL.org claims the licenses are "BSD-style", but that's like putting a cow patty on your head and calling it a yarmulke. How is OpenBSD planning to get around that little hurdle?

Re:Graphic design geniuses too

[rubycodez]

suck on this thermometer: http://www.openbsdfoundation.o...

Re:What will be next: LibreSystemd?

[rubycodez]

OpenBSD already has your LibreSystemd, it's called the BSD rc script system. it fucking works, bitches.

Re:What will be next: LibreSystemd?

Already in progress:

http://www.google-melange.com/gsoc/project/details/google/gsoc2014/kremlin/5639274879778816

Re:Graphic design geniuses too

Because they could have not even added a font to the css saving even more time.

It took longer to make a shitty comic sans page, you fucking hipster dipshit.

Re:Graphic design geniuses too

They are too busy deleting and rewriting code, so they stopped to add comic sans to the page css file?

WTF?

Proving once again that BSD devs are clowns, dwarfed only by the shitheels responsible for Debian and all its bastard children.